admin/RmEye
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2 from Fplyth0ner-Combie/main

Browse Source 
Add: New detection rule about microsoft outlook
This commit is contained in:
Huoji's
2022-09-11 15:23:01 +08:00
committed by GitHub
parent 5fcfd6ec02 343e50a39d
commit 83d1d97e57
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Server/rules/py/action.py
View File

@@ -1,4 +1,11 @@
rule = [
{
'rules': [
'action == "filecreate" and targetfilename =~ "c:\\users\\.*\\appdata\\roaming\\microsoft\\outlook\\vbaproject.otm"'
],
'score': 300,
'name': '已知Outlook模板宏持久化行为'
},
{
'rules': [
'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',

1
sysmon.xml
View File

@@ -583,6 +583,7 @@
<TargetFilename name="T1176" condition="end with">.crx</TargetFilename> <!--Chrome extension-->
<TargetFilename condition="end with">.dmp</TargetFilename> <!--Process dumps [ (fr) http://blog.gentilkiwi.com/securite/mimikatz/minidump ] -->
<TargetFilename condition="end with">.docm</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename condition="end with">.otm</TargetFilename> <!--Microsoft:Office:VBS: Macro-->
<TargetFilename name="DLL" condition="end with">.dll</TargetFilename> <!--Microsoft:Office:Word: Macro-->
<TargetFilename name="EXE" condition="end with">.exe</TargetFilename> <!--Executable-->
<TargetFilename name="ProcessHostingdotNETCode" condition="end with">.exe.log</TargetFilename> <!-- [ https://github.com/bitsadmin/nopowershell ] | Credit: @SBousseaden [ https://twitter.com/SBousseaden/status/1137493597769687040 ] -->