Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
Sigma rule (View on GitHub)
1title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
2id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
3status: test
4description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
7 - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2021-04-05
10modified: 2023-08-17
11tags:
12 - attack.persistence
13 - attack.command-and-control
14 - attack.t1137
15 - attack.t1008
16 - attack.t1546
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
23 Details|contains: '0x00000001'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- New Outlook Macro Created
- Outlook Macro Execution Without Warning Setting Enabled
- Suspicious Outlook Macro Created
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD