Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 09:05:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

added outlook_vba_persistence rule

Browse Source
This commit is contained in:
@
2020-11-24 12:05:01 -06:00
parent bc33e8dda5
commit 54e3046b4a
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/windows/outlook_vba_persistence.yml
+17
View File
@@ -0,0 +1,17 @@
title: Outlook VBA Persistence
description: Detection of persistence through VbaProject.OTM use in Outlook.
author: keyboardcrunch
date: 24/10/2020
modified:
mitre:
tactic: Persistence
technique: T1137
subtechnique: 003
operating_system: windows
query: ( EventType In("File Creation", "File Modification") AND TgtFilePath Contains Anycase "\Roaming\Microsoft\Outlook" AND TgtFilePath EndsWith Anycase ".otm" ) OR ( EventType In ("Registry Value Create","Registry Value Modified") AND RegistryKeyPath ContainsCIS "Outlook\Security\Level" )
false_positives:
- Possible legit uses of macros for sorting/saving emails.
tags:
-
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/