mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-11-02 12:53:15 +00:00
30 lines
1.1 KiB
YAML
30 lines
1.1 KiB
YAML
title: Suspicious Download from Office Domain
|
|
id: 00d49ed5-4491-4271-a8db-650a4ef6f8c1
|
|
status: experimental
|
|
description: Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
|
|
author: Florian Roth
|
|
date: 2021/12/27
|
|
references:
|
|
- https://twitter.com/an0n_r0/status/1474698356635193346?s=12
|
|
- https://twitter.com/mrd0x/status/1475085452784844803?s=12
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection_download:
|
|
- Image|endswith:
|
|
- '\curl.exe'
|
|
- '\wget.exe'
|
|
- CommandLine|contains:
|
|
- 'Start-BitsTransfer'
|
|
- '.DownloadFile('
|
|
- '.DownloadString('
|
|
selection_domains:
|
|
CommandLine|contains:
|
|
- 'https://attachment.outlook.live.net/owa/'
|
|
- 'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'
|
|
condition: selection_download and selection_domains
|
|
falsepositives:
|
|
- Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
|
|
level: high
|