Outlook Macro Execution Without Warning Setting Enabled
Detects the modification of Outlook security setting to allow unprompted execution of macros.
Sigma rule (View on GitHub)
1title: Outlook Macro Execution Without Warning Setting Enabled
2id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
3status: test
4description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
5references:
6 - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
7 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
8author: '@ScoubiMtl'
9date: 2021-04-05
10modified: 2023-08-17
11tags:
12 - attack.persistence
13 - attack.command-and-control
14 - attack.t1137
15 - attack.t1008
16 - attack.t1546
17logsource:
18 category: registry_set
19 product: windows
20detection:
21 selection:
22 TargetObject|endswith: '\Outlook\Security\Level'
23 Details|contains: '0x00000001' # Enable all Macros
24 condition: selection
25falsepositives:
26 - Unlikely
27level: high
References
-
Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are...
Read More -
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired targ…
Read More
Related rules
- New Outlook Macro Created
- Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
- Suspicious Outlook Macro Created
- Bitsadmin to Uncommon IP Server Address
- Bitsadmin to Uncommon TLD