Outlook Macro Execution Without Warning Setting Enabled

calendar Aug 17, 2023 · attack.persistence attack.command_and_control attack.t1137 attack.t1008 attack.t1546  ·
Share on: linkedin copy

Detects the modification of Outlook security setting to allow unprompted execution of macros.

Sigma rule (View on GitHub)

 1title: Outlook Macro Execution Without Warning Setting Enabled
 2id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
 3status: test
 4description: Detects the modification of Outlook security setting to allow unprompted execution of macros.
 5references:
 6    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
 7    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
 8author: '@ScoubiMtl'
 9date: 2021/04/05
10modified: 2023/08/17
11tags:
12    - attack.persistence
13    - attack.command_and_control
14    - attack.t1137
15    - attack.t1008
16    - attack.t1546
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|endswith: '\Outlook\Security\Level'
23        Details|contains: '0x00000001' # Enable all Macros
24    condition: selection
25falsepositives:
26    - Unlikely
27level: high

References

  • A Fresh Outlook on Mail Based Persistence - MDSec

    Introduction Low privileged, user land persistence techniques are worth their weight in gold, as there are far fewer opportunities from this perspective than when you’re elevated. As such, we are...


    Read More

  • Hunting for persistence via Microsoft Exchange Server or Outlook

    Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.


    Read More

Related rules

to-top