Microsoft VBA For Outlook Addin Loaded Via Outlook
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
Sigma rule (View on GitHub)
1title: Microsoft VBA For Outlook Addin Loaded Via Outlook
2id: 9a0b8719-cd3c-4f0a-90de-765a4cb3f5ed
3status: test
4description: Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=58
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/02/08
9modified: 2024/03/12
10tags:
11 - attack.execution
12 - attack.t1204.002
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\outlook.exe'
19 ImageLoaded|endswith: '\outlvba.dll'
20 condition: selection
21falsepositives:
22 - Legitimate macro usage. Add the appropriate filter according to your environment
23level: medium
References
-
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.
Read More
Related rules
- Ursnif Malware C2 URL Pattern
- Download From Suspicious TLD - Whitelist
- Suspicious WMIC Execution Via Office Process
- HackTool - LittleCorporal Generated Maldoc Injection
- Suspicious Binary In User Directory Spawned From Office Application