| sigma |
microsoft365_activity_by_terminated_user.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_activity_from_anonymous_ip_addresses.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_activity_from_infrequent_country.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_data_exfiltration_to_unsanctioned_app.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_from_suspicious_ip_addresses.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_impossible_travel_activity.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_logon_from_risky_ip_address.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_potential_ransomware_activity.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_suspicious_inbox_forwarding.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_suspicious_oauth_app_file_download_activities.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_unusual_volume_of_file_deletion.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
microsoft365_user_restricted_from_sending_email.yml |
- https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference |
DRL 1.0 |
| sigma |
win_adcs_certificate_template_configuration_vulnerability.yml |
title: ADCS Certificate Template Configuration Vulnerability |
DRL 1.0 |
| sigma |
win_adcs_certificate_template_configuration_vulnerability.yml |
description: Detects certificate creation with template allowing risk permission subject |
DRL 1.0 |
| sigma |
win_adcs_certificate_template_configuration_vulnerability.yml |
definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be comming if template contain specific flag. |
DRL 1.0 |
| sigma |
win_adcs_certificate_template_configuration_vulnerability_eku.yml |
title: ADCS Certificate Template Configuration Vulnerability with Risky EKU |
DRL 1.0 |
| sigma |
win_adcs_certificate_template_configuration_vulnerability_eku.yml |
description: Detects certificate creation with template allowing risk permission subject and risky EKU |
DRL 1.0 |
| sigma |
win_adcs_certificate_template_configuration_vulnerability_eku.yml |
definition: Certificate services loaded a template would trigger event ID 4898 and certificate Services template was updated would trigger event ID 4899. A risk permission seems to be comming if template contain specific flag with risky EKU. |
DRL 1.0 |
| malware-ioc |
gamaredon |
advansed-template.site |
© ESET 2014-2018 |
| malware-ioc |
gamaredon |
fix-template.site |
© ESET 2014-2018 |
| malware-ioc |
gamaredon |
new-template.site |
© ESET 2014-2018 |
| malware-ioc |
gamaredon |
normal-template.site |
© ESET 2014-2018 |
| malware-ioc |
gamaredon |
old-template.site |
© ESET 2014-2018 |
| malware-ioc |
turla |
* hxxp://hotnews.16mb.com/wp-content/themes/twentysixteen/template-parts/content-header.php``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| atomic-red-team |
index.md |
- T1221 Template Injection |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- Atomic Test #1: WINWORD Remote Template Injection [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
index.md |
- T1137.001 Office Template Macros CONTRIBUTE A TEST |
MIT License. © 2018 Red Canary |
| atomic-red-team |
linux-index.md |
- T1137.001 Office Template Macros CONTRIBUTE A TEST |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- T1221 Template Injection |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- Atomic Test #1: WINWORD Remote Template Injection [windows] |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-index.md |
- T1137.001 Office Template Macros CONTRIBUTE A TEST |
MIT License. © 2018 Red Canary |
| atomic-red-team |
linux-matrix.md |
| | | Office Template Macros CONTRIBUTE A TEST | Valid Accounts CONTRIBUTE A TEST | Hidden Files and Directories | Unsecured Credentials CONTRIBUTE A TEST | User Activity Based Checks CONTRIBUTE A TEST | | | | Protocol Tunneling CONTRIBUTE A TEST | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
matrix.md |
| | | Office Template Macros CONTRIBUTE A TEST | Portable Executable Injection CONTRIBUTE A TEST | Hijack Execution Flow CONTRIBUTE A TEST | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
matrix.md |
| | | | | Template Injection | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-matrix.md |
| | | Office Template Macros CONTRIBUTE A TEST | Path Interception by Search Order Hijacking CONTRIBUTE A TEST | Hide Artifacts | Web Cookies CONTRIBUTE A TEST | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
windows-matrix.md |
| | | | | Template Injection | | | | | | | | |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1137.md |
<blockquote>Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1187.md |
Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. Template Injection), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user’s system accesses the untrusted resource it will attempt authentication and send information, including the user’s hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line Brute Force cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1187.md |
* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. Template Injection). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1221.md |
# T1221 - Template Injection |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1221.md |
Properties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded. |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1221.md |
Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as Phishing and/or Taint Shared Content and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017) |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1221.md |
This technique may also enable Forced Authentication by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)</blockquote> |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1221.md |
- Atomic Test #1 - WINWORD Remote Template Injection |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1221.md |
## Atomic Test #1 - WINWORD Remote Template Injection |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1221.md |
Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm |
MIT License. © 2018 Red Canary |
| atomic-red-team |
T1221.md |
Executes the code specified within the .dotm template. |
MIT License. © 2018 Red Canary |
| signature-base |
apt_lazarus_dec20.yar |
description = “Webshell named template-query.aspimg.asp used by APT37” |
CC BY-NC 4.0 |
| signature-base |
apt_moonlightmaze.yar |
$a3=”template string = |%s|” ascii wide |
CC BY-NC 4.0 |
| signature-base |
apt_wilted_tulip.yar |
$x2 = “C:\Users\admin\Documents\visual studio 2015\Projects\Export\TDTESS_ShortOne\WinService Template\” ascii |
CC BY-NC 4.0 |
| signature-base |
apt_wilted_tulip.yar |
$s1 = “\WinService Template\obj\x64\x64\winlogin” ascii |
CC BY-NC 4.0 |
| signature-base |
crime_cobalt_gang_pdf.yar |
description = “Find documents saved from the same potential Cobalt Gang PDF template” |
CC BY-NC 4.0 |
| signature-base |
exploit_shitrix.yar |
$s07 = “template.new({‘BLOCK’=’print readpipe(“ ascii /* TrustedSec templae */ |
CC BY-NC 4.0 |
| signature-base |
exploit_shitrix.yar |
$s09 = “template.new({‘BLOCK’=” /* PZI exploit URL decoded form */ |
CC BY-NC 4.0 |
| signature-base |
exploit_shitrix.yar |
$s10 = “template.new({‘BLOCK’%3d” /* PZI exploit URl encoded form */ |
CC BY-NC 4.0 |
| signature-base |
gen_github_net_redteam_tools_guids.yar |
reference = “https://github.com/FuzzySecurity/Driver-Template” |
CC BY-NC 4.0 |
| signature-base |
thor-hacktools.yar |
$s12 = “iKAT Exe Template” fullword ascii |
CC BY-NC 4.0 |
| signature-base |
thor-webshells.yar |
$s2 = “<xsl:template match=""/root"">” ascii fullword |
CC BY-NC 4.0 |