Suspicious Outlook Macro Created
Detects the creation of a macro file for Outlook.
Sigma rule (View on GitHub)
1title: Suspicious Outlook Macro Created
2id: 117d3d3a-755c-4a61-b23e-9171146d094c
3related:
4 - id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
5 type: derived
6status: test
7description: Detects the creation of a macro file for Outlook.
8references:
9 - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
10 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
11 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023-02-08
14tags:
15 - attack.persistence
16 - attack.command-and-control
17 - attack.t1137
18 - attack.t1008
19 - attack.t1546
20logsource:
21 category: file_event
22 product: windows
23detection:
24 selection:
25 TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
26 filter:
27 Image|endswith: '\outlook.exe'
28 condition: selection and not filter
29falsepositives:
30 - Unlikely
31level: high
References
-
Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are...
Read More -
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired targ…
Read More -
In this post I will share with you how to create a simple yet effective method to obtain persistence, code execution and leak emails of interest from a victim using outlook and with limited user privileges. What is VBA for Outlook? Visual Basic for Applications (VBA) is one of two programming langua
Read More
Related rules
- New Outlook Macro Created
- Outlook Macro Execution Without Warning Setting Enabled
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD