Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-10 01:47:15 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a428941d645eb04ded14e8ca432f86068be0dfe4
keyboardcrunch-sentinelone-…/queries/windows/outlook_vba_persistence.yml
T

18 lines
732 B
YAML
Raw Blame History

title: Outlook VBA Persistence
description: Detection of persistence through VbaProject.OTM use in Outlook.
author: keyboardcrunch
date: 24/11/2020
modified:
mitre:
tactic: Persistence
technique: T1137
subtechnique: 003
operating_system: windows
query: ( EventType In("File Creation", "File Modification") AND TgtFilePath Contains Anycase "\Roaming\Microsoft\Outlook" AND TgtFilePath EndsWith Anycase ".otm" ) OR ( EventType In ("Registry Value Create","Registry Value Modified") AND RegistryKeyPath ContainsCIS "Outlook\Security\Level" )
false_positives:
- Possible legit uses of macros for sorting/saving emails.
tags:
-
references:
- https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/
Reference in New Issue View Git Blame Copy Permalink