Find sigma rule

Attack: Office Application Startup

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

MITRE

Tactic

persistence

technique

T1137

Test : Office Application Startup - Outlook as a C2

OS

windows

Description:

As outlined in MDSEC’s Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. Too achieve this two things must happened on the syste

The macro security registry value must be set to ‘4’
A file called VbaProject.OTM must be created in the Outlook Folder.

Executor

command_prompt

Sigma Rule

registry_set_office_outlook_security_settings.yml (id: c3cefdf4-6703-4e1c-bad8-bf422fc5015a)
file_event_win_office_outlook_macro_creation.yml (id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test