SigmaHQ/rules/windows/registry_event/win_outlook_c2_registry_key.yml

title: Outlook C2 Registry Key
id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
status: experimental
description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.
references:
    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
tags:
    - attack.persistence
    - attack.command_and_control
    - attack.t1137
    - attack.t1008
    - attack.t1546
date: 2021/04/05
logsource:
    category: registry_event
    product: windows
detection:
    selection_registry:
        TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level'
        Details|contains: '0x00000001'
    condition: selection_registry
falsepositives:
    - Unlikely
level: medium
Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 07:41:38 +00:00			`title: Outlook C2 Registry Key`
Create win_Outlook_C2_Macro_Creation.yml BEC is for Business Email Compromise (this can be changed) 2021-04-21 00:38:20 +00:00			`id: e3b50fa5-3c3f-444e-937b-0a99d33731cd`
			`status: experimental`
Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 07:41:38 +00:00			`description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.`
Create win_Outlook_C2_Macro_Creation.yml BEC is for Business Email Compromise (this can be changed) 2021-04-21 00:38:20 +00:00			`references:`
			`- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/`
			`author: '@ScoubiMtl'`
			`tags:`
			`- attack.persistence`
			`- attack.command_and_control`
Add a space There was a missing space in `-attack` changed for `- attack` 2021-04-21 00:50:20 +00:00			`- attack.t1137`
Create win_Outlook_C2_Macro_Creation.yml BEC is for Business Email Compromise (this can be changed) 2021-04-21 00:38:20 +00:00			`- attack.t1008`
			`- attack.t1546`
			`date: 2021/04/05`
			`logsource:`
refactor: moved rule 2021-05-05 10:11:59 +00:00			`category: registry_event`
Create win_Outlook_C2_Macro_Creation.yml BEC is for Business Email Compromise (this can be changed) 2021-04-21 00:38:20 +00:00			`product: windows`
			`detection:`
			`selection_registry:`
Update and rename rules/windows/other/win_Outlook_C2_Registry_Key.yml to rules/windows/registry_event_write/win_outlook_C2_registry_key.yml 2021-05-04 07:41:38 +00:00			`TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level'`
			`Details\|contains: '0x00000001'`
Create win_Outlook_C2_Macro_Creation.yml BEC is for Business Email Compromise (this can be changed) 2021-04-21 00:38:20 +00:00			`condition: selection_registry`
			`falsepositives:`
			`- Unlikely`
			`level: medium`