-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathoffice_detection_spl
46 lines (39 loc) · 4.31 KB
/
office_detection_spl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
`sysmon` (Image=*WINWORD.EXE* OR ParentImage=*WINWORD.EXE*)
| bin _time span=1m
| eval ProcessGuid=coalesce(ProcessGuid,SourceProcessGUID)
| eval qualifiers=if(match(Image,"powershell\.exe"),mvappend(qualifiers,"PowerShell spawned from Office Product # score: 10"),qualifiers)
| eval qualifiers=if(match(Image,"cmd\.exe"),mvappend(qualifiers,"Command Prompt spawned from Office Product # score: 10"),qualifiers)
| eval qualifiers=if(match(Image,"cscript\.exe"),mvappend(qualifiers,"Cscript spawned from Office Product # score: 10"),qualifiers)
| eval qualifiers=if(match(Image,"wscript\.exe"),mvappend(qualifiers,"Wscript spawned from Office Product # score: 10"),qualifiers)
| eval qualifiers=if(match(Image,"schtasks\.exe"),mvappend(qualifiers,"Schtasks spawned from Office Product # score: 10"),qualifiers)
| eval qualifiers=if(match(Image,"wmic\.exe"),mvappend(qualifiers,"Wmic spawned from Office Product # score: 10"),qualifiers)
| eval qualifiers=if(match(Image,"mshta\.exe"),mvappend(qualifiers,"Mshta spawned from Office Product # score: 10"),qualifiers)
| eval qualifiers=if(match(Image,"regsvr32\.exe"),mvappend(qualifiers,"Regsvr32 spawned from Office Product # score: 10"),qualifiers)
| eval qualifiers=if(match(CommandLine,"\/c"),mvappend(qualifiers,"Command Prompt with suspicious parameters spawned from Office Product # score: 15"),qualifiers)
| eval qualifiers=if(match(CommandLine,"MyFileShare"),mvappend(qualifiers,"File Opened From Trusted Source # score: -3"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"VBE"),mvappend(qualifiers,"VBE DLL Loaded # score: 3"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"combase\.dll"),mvappend(qualifiers,"COM DLL Loaded # score: 4"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"clr\.dll"),mvappend(qualifiers,"DotNet Office Load # score: 10"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"assembly"),mvappend(qualifiers,"DotNet Native Image Office Load # score: 10"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"dsparse\.dll"),mvappend(qualifiers,"DSParse DLL Load # score: 10"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"kerberos\.dll"),mvappend(qualifiers,"Kerberos DLL Load # score: 10"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"msxml3\.dll"),mvappend(qualifiers,"XMLParse DLL Load # score: 10"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"msxml6\.dll"),mvappend(qualifiers,"XMLParse DLL Load # score: 10"),qualifiers)
| eval qualifiers=if(match(ImageLoaded,"taskschd\.dll"),mvappend(qualifiers,"Taskschd DLL Load # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetFilename,"\.jse"),mvappend(qualifiers,"Suspicious JSE File Created # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetFilename,"\.vbs"),mvappend(qualifiers,"Suspicious VBS File Created # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetFilename,"\.bat"),mvappend(qualifiers,"Suspicious BAT File Created # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetFilename,"\.exe"),mvappend(qualifiers,"Suspicious EXE File Created # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetFilename,"\.dll"),mvappend(qualifiers,"Suspicious DLL File Created # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetFilename,"\.hta"),mvappend(qualifiers,"Suspicious HTA File Created # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetFilename,"\.ps1"),mvappend(qualifiers,"Suspicious PS1 File Created # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetImage,"powershell"),mvappend(qualifiers,"Suspicious TargetImage (PowerShell) # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetImage,"cmd"),mvappend(qualifiers,"Suspicious TargetImage (CMD) # score: 10"),qualifiers)
| eval qualifiers=if(match(TargetObject,"Trusted Documents"),mvappend(qualifiers,"Trust Record Modification # score: 3"),qualifiers)
| eval qualifiers=if(match(GrantedAccess,"0x1fffff"),mvappend(qualifiers,"RWX Granted Access in CallTrace # score: 2"),qualifiers)
| eval qualifiers=if(match(CallTrace,"framedynos\.dll\+22306"),mvappend(qualifiers,"Suspicious WMI Function # score: 10"),qualifiers)
| eval qualifiers=if(match(Description,"WMI"),mvappend(qualifiers,"Suspicious WMI ImageLoad # score: 10"),qualifiers)
| rex field=qualifiers "(?<=score: )(?<score>(.*)(?=))"
| eventstats sum(score) as score_total by host,_time
| search qualifiers=*
| stats values(qualifiers),values(score_total) BY host,_time