Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
Sigma rule (View on GitHub)
1title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
2id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
3status: test
4description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
7 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2021-04-05
10modified: 2023-08-17
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.command-and-control
15 - attack.t1137
16 - attack.t1008
17 - attack.t1546
18logsource:
19 category: registry_set
20 product: windows
21detection:
22 selection:
23 TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
24 Details|contains: '0x00000001'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired targ…
Read More -
In this post I will share with you how to create a simple yet effective method to obtain persistence, code execution and leak emails of interest from a victim using outlook and with limited user privileges. What is VBA for Outlook? Visual Basic for Applications (VBA) is one of two programming langua
Read More
Related rules
- New Outlook Macro Created
- Outlook Macro Execution Without Warning Setting Enabled
- Suspicious Outlook Macro Created
- COM Hijack via Sdclt
- Control Panel Items