Add files via upload

rules/windows/sysmon/sysmon_registry_trust_record_modification.yml

@@ -0,0 +1,24 @@
+title: Windows Registry Trust Record Modification
+id: 295a59c1-7b79-4b47-a930-df12c15fc9c2
+status: experimental
+description: Alerts on trust record modification within the registry, indicating usage of macros
+references:
+    - https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/
+    - http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
+author: Antonlovesdnb
+date: 2020/2/19
+modified: 2020/2/19
+tags:
+    - attack.initial.access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 12
+        TargetObject|contains: 'TrustRecords'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: medium

rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml

@@ -0,0 +1,30 @@
+title: VBA DLL Loaded Via Microsoft Word
+id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
+status: experimental
+description: Detects DLL's Loaded Via Word Containing VBA Macros
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2019/12/26
+tags:
+    - attack.initial.access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*\VBE7.DLL'
+            - '*\VBEUI.DLL'
+            - '*\VBE7INTL.DLL'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high