Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-09 09:27:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
710d621de042f31407aa8f0dcedba4e8bd7d7439
keyboardcrunch-sentinelone-…/queries/windows/outlook_vba_persistence.yml
T
keyboardcrunch 4d6ac236bc Cleaned up signature descriptions and metadata.
2020-12-05 21:45:38 -06:00

17 lines
730 B
YAML
Raw Blame History

title: Outlook VBA Persistence
description: Detection of persistence through VbaProject.OTM use in Outlook.
author: keyboardcrunch
date: 24/11/2020
modified:
mitre:
tactic: Persistence
technique: T1137
subtechnique: 003
operating_system: windows
query: ( EventType In("File Creation", "File Modification") AND TgtFilePath Contains Anycase "\Roaming\Microsoft\Outlook" AND TgtFilePath EndsWith Anycase ".otm" ) OR ( EventType In ("Registry Value Create","Registry Value Modified") AND RegistryKeyPath ContainsCIS "Outlook\Security\Level" )
false_positives:
- Possible legit uses of macros for sorting or saving emails.
tags:
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
Reference in New Issue View Git Blame Copy Permalink