mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
6f05e33feb
Correct a number of rules where message or keyword were incorrectly used as field names in events (typically windows event logs). However, neither field actually exists and as such these strings could never match.
25 lines
671 B
YAML
25 lines
671 B
YAML
title: Set OabVirtualDirectory ExternalUrl Property
|
|
id: 9db37458-4df2-46a5-95ab-307e7f29e675
|
|
description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script
|
|
author: Jose Rodriguez @Cyb3rPandaH
|
|
status: experimental
|
|
date: 2021/03/15
|
|
references:
|
|
- https://twitter.com/OTR_Community/status/1371053369071132675
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|
|
logsource:
|
|
product: windows
|
|
service: msexchange-management
|
|
detection:
|
|
selection:
|
|
- 'Set-OabVirtualDirectory'
|
|
- 'ExternalUrl'
|
|
- 'Page_Load'
|
|
- 'script'
|
|
condition: all of selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|