Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting

Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
 2id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
 3status: test
 4description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
 7    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
 8author: Nasreddine Bencherchali (Nextron Systems)
 9date: 2021/04/05
10modified: 2023/08/17
11tags:
12    - attack.persistence
13    - attack.command_and_control
14    - attack.t1137
15    - attack.t1008
16    - attack.t1546
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
23        Details|contains: '0x00000001'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

References

Related rules

to-top