valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
e66007a43d
SigmaHQ/rules/windows/file_event/win_outlook_c2_macro_creation.yml
frack113 7753f8c22e fix tags
2021-08-24 12:36:31 +02:00

25 lines
860 B
YAML
Raw Blame History

title: Outlook C2 Macro Creation
id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61
status: experimental
description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time.
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
author: '@ScoubiMtl'
tags:
- attack.persistence
- attack.command_and_control
- attack.t1137
- attack.t1008
- attack.t1546
date: 2021/04/05
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
condition: selection
falsepositives:
- User genuinly creates a VB Macro for their email
level: medium
Reference in New Issue View Git Blame Copy Permalink