New Outlook Macro Created
Detects the creation of a macro file for Outlook.
Sigma rule (View on GitHub)
1title: New Outlook Macro Created
2id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
3related:
4 - id: 117d3d3a-755c-4a61-b23e-9171146d094c
5 type: derived
6status: test
7description: Detects the creation of a macro file for Outlook.
8references:
9 - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
10author: '@ScoubiMtl'
11date: 2021-04-05
12modified: 2023-02-08
13tags:
14 - attack.persistence
15 - attack.command-and-control
16 - attack.t1137
17 - attack.t1008
18 - attack.t1546
19logsource:
20 category: file_event
21 product: windows
22detection:
23 selection:
24 Image|endswith: '\outlook.exe'
25 TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
26 condition: selection
27falsepositives:
28 - User genuinely creates a VB Macro for their email
29level: medium
References
-
Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are...
Read More
Related rules
- Outlook Macro Execution Without Warning Setting Enabled
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Suspicious Outlook Macro Created
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD