From 54e3046b4a7eb1aa580681edc343736a656a679c Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Tue, 24 Nov 2020 12:05:01 -0600
Subject: [PATCH] added outlook_vba_persistence rule

---
 queries/windows/outlook_vba_persistence.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 queries/windows/outlook_vba_persistence.yml

diff --git a/queries/windows/outlook_vba_persistence.yml b/queries/windows/outlook_vba_persistence.yml
new file mode 100644
index 0000000..10b3dda
--- /dev/null
+++ b/queries/windows/outlook_vba_persistence.yml
@@ -0,0 +1,17 @@
+title: Outlook VBA Persistence
+description: Detection of persistence through VbaProject.OTM use in Outlook.
+author: keyboardcrunch
+date: 24/10/2020
+modified: 
+mitre:
+   tactic: Persistence
+   technique: T1137
+   subtechnique: 003
+operating_system: windows
+query: ( EventType In("File Creation", "File Modification") AND TgtFilePath Contains Anycase "\Roaming\Microsoft\Outlook" AND TgtFilePath EndsWith Anycase ".otm" ) OR ( EventType In ("Registry Value Create","Registry Value Modified") AND RegistryKeyPath ContainsCIS "Outlook\Security\Level" )
+false_positives:
+   - Possible legit uses of macros for sorting/saving emails.
+tags:
+   - 
+references:
+   - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/