From 857d65f7114a5b5721287a2616438c28f43b0a33 Mon Sep 17 00:00:00 2001
From: Bhabesh <bhabeshraj678@gmail.com>
Date: Thu, 21 May 2020 20:21:11 +0545
Subject: [PATCH 1/2] Added detection for CVE-2017-0199 and CVE-2017-8759.

---
 sysmonconfig-export.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index f6688b3..851f8b4 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -311,6 +311,9 @@
 			<Image condition="image">tasklist.exe</Image> <!--Windows: List processes, has remote ability -->
 			<Image condition="image">wmic.exe</Image> <!--WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">wscript.exe</Image> <!--WindowsScriptingHost: | Credit @arekfurt -->
+			
+			<Image condition="image">WINWORD.exe</Image> <!-- CVE-2017-0199, CVE-2017-8759 OLE2 embedded link in Office initiating a HTTP request to a remote server to retrieve payload [https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html] [https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html]-->
+			<Image condition="image">EXCEL.exe</Image> <!-- [https://www.logpoint.com/en/blog/using-logpoint-to-mitigate-cisa-routinely-exploited-vulnerabilities-2016-2020/]-->>
 			<!--Relevant 3rd Party Tools-->
 			<Image condition="image">nc.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
 			<Image condition="image">ncat.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->

From 960328e6f4b294ef4aa80b118b56c86758693879 Mon Sep 17 00:00:00 2001
From: Bhabesh <bhabeshraj678@gmail.com>
Date: Fri, 22 May 2020 16:13:01 +0545
Subject: [PATCH 2/2] Written comment for added rule.

---
 sysmonconfig-export.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sysmonconfig-export.xml b/sysmonconfig-export.xml
index 851f8b4..8c1c82a 100644
--- a/sysmonconfig-export.xml
+++ b/sysmonconfig-export.xml
@@ -312,8 +312,10 @@
 			<Image condition="image">wmic.exe</Image> <!--WindowsManagementInstrumentation: Credit @Cyb3rOps [ https://gist.github.com/Neo23x0/a4b4af9481e01e749409 ] -->
 			<Image condition="image">wscript.exe</Image> <!--WindowsScriptingHost: | Credit @arekfurt -->
 			
+			<!--It shoud be noted that this might create some noise as Office might regularly phone back to microsoft domains.-->>
 			<Image condition="image">WINWORD.exe</Image> <!-- CVE-2017-0199, CVE-2017-8759 OLE2 embedded link in Office initiating a HTTP request to a remote server to retrieve payload [https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html] [https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html]-->
-			<Image condition="image">EXCEL.exe</Image> <!-- [https://www.logpoint.com/en/blog/using-logpoint-to-mitigate-cisa-routinely-exploited-vulnerabilities-2016-2020/]-->>
+			<Image condition="image">EXCEL.exe</Image>   <!-- [https://www.logpoint.com/en/blog/using-logpoint-to-mitigate-cisa-routinely-exploited-vulnerabilities-2016-2020/]-->>
+			
 			<!--Relevant 3rd Party Tools-->
 			<Image condition="image">nc.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->
 			<Image condition="image">ncat.exe</Image> <!-- Nmap's modern version of netcat [ https://nmap.org/ncat/guide/index.html#ncat-overview ] [ https://securityblog.gr/1517/create-backdoor-in-windows-with-ncat/ ] -->