From a1101ee9a785cc40a8465a240a58bcf92f89268a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Fri, 2 Jul 2021 16:05:59 +0200
Subject: [PATCH 1/4] fix: missing file / wrong casing in branch

---
 .../win_outlook_c2_registry_key.yml           | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/registry_event/win_outlook_c2_registry_key.yml

diff --git a/rules/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/windows/registry_event/win_outlook_c2_registry_key.yml
new file mode 100644
index 00000000..4d652427
--- /dev/null
+++ b/rules/windows/registry_event/win_outlook_c2_registry_key.yml
@@ -0,0 +1,25 @@
+title: Outlook C2 Registry Key
+id: e3b50fa5-3c3f-444e-937b-0a99d33731cd
+status: experimental
+description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other.
+references:
+    - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
+author: '@ScoubiMtl'
+tags:
+    - attack.persistence
+    - attack.command_and_control
+    - attack.t1137
+    - attack.t1008
+    - attack.t1546
+date: 2021/04/05
+logsource:
+    category: registry_event
+    product: windows
+detection:
+    selection_registry:
+        TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level'
+        Details|contains: '0x00000001'
+    condition: selection_registry
+falsepositives:
+    - Unlikely
+level: medium

From d3d018e60052eb7539bca9c2da63a493e3e68c63 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Fri, 2 Jul 2021 22:02:46 +0200
Subject: [PATCH 2/4] fix: escape character that would be interpreted as
 wildcard

---
 rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
index 040b921f..bfdf3336 100644
--- a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
+++ b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         EventID: 5145
-        ShareName: \\*\IPC$
+        ShareName: \\\*\IPC$
         RelativeTargetName: spoolss
     condition: selection
 falsepositives:

From 43735a5714eba0b2b9e6dcd24259157b97e29e0f Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Fri, 2 Jul 2021 23:50:03 +0200
Subject: [PATCH 3/4] revert: change in other rule

---
 rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
index bfdf3336..040b921f 100644
--- a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
+++ b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         EventID: 5145
-        ShareName: \\\*\IPC$
+        ShareName: \\*\IPC$
         RelativeTargetName: spoolss
     condition: selection
 falsepositives:

From e25a9cd3b8e122f810153df27e3da7b39c596101 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Fri, 2 Jul 2021 23:50:18 +0200
Subject: [PATCH 4/4] fix: escape character that would be interpreted as
 wildcard

---
 .../builtin/win_exploit_cve_2021_1675_printspooler_Security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
index c6cd8a33..ce921b98 100644
--- a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
+++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler_Security.yml
@@ -17,7 +17,7 @@ logsource:
 detection:
     selection:
         EventID: '5145'
-        ShareName: '\\*\IPC$'
+        ShareName: '\\\*\IPC$'
         RelativeTargetName: 'spoolss'
         AccessMask: '0x3'
         ObjectType: 'File'