Outlook Security Settings Updated - Registry

Detects changes to the registry values related to outlook security settings

Sigma rule (View on GitHub)

 1title: Outlook Security Settings Updated - Registry
 2id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a
 3related:
 4    - id: a166f74e-bf44-409d-b9ba-ea4b2dd8b3cd # EnableUnsafeClientMailRules
 5      type: similar
 6status: test
 7description: Detects changes to the registry values related to outlook security settings
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137/T1137.md
10    - https://docs.microsoft.com/en-us/outlook/troubleshoot/security/information-about-email-security-settings
11author: frack113
12date: 2021/12/28
13modified: 2023/08/17
14tags:
15    - attack.persistence
16    - attack.t1137
17logsource:
18    category: registry_set
19    product: windows
20detection:
21    selection:
22        TargetObject|contains|all:
23            - '\SOFTWARE\Microsoft\Office\'
24            - '\Outlook\Security\'
25    condition: selection
26falsepositives:
27    - Administrative activity
28level: medium

References

Related rules

to-top