Persistence via Microsoft Outlook VBA

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne  ·
Share on: linkedin copy

Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/23"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = "Detects attempts to establish persistence on an endpoint by installing a rogue Microsoft Outlook VBA Template."
12false_positives = ["A legitimate VBA for Outlook is usually configured interactively via OUTLOOK.EXE."]
13from = "now-9m"
14index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Persistence via Microsoft Outlook VBA"
18references = [
19    "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/",
20    "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/",
21]
22risk_score = 47
23rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438"
24severity = "medium"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Persistence",
30    "Data Source: Elastic Endgame",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon",
33    "Data Source: Microsoft Defender for Endpoint",
34    "Data Source: SentinelOne",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40file where host.os.type == "windows" and event.type != "deletion" and
41 file.path : "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM"
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1137"
49name = "Office Application Startup"
50reference = "https://attack.mitre.org/techniques/T1137/"
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"

References

  • A Fresh Outlook on Mail Based Persistence - MDSec

    Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are...


    Read More

  • Outlook-Backdoor using VBA

    In this post I will share with you how to create a simple yet effective method to obtain persistence, code execution and leak emails of interest from a victim using outlook and with limited user privileges. What is VBA for Outlook? Visual Basic for Applications (VBA) is one of two programming langua


    Read More

Related rules

to-top