Detectionhightest

Suspicious Outlook Macro Created

Detects the creation of a macro file for Outlook.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Feb 08117d3d3a-755c-4a61-b23e-9171146d094cwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    filter:
        Image|endswith: '\outlook.exe'
    condition: selection and not filter

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0011 · Command and Control

Techniques

T1137 · Office Application Startup T1008 · Fallback Channels T1546 · Event Triggered Execution

Related Rules

DerivedDetectionmedium

New Outlook Macro Created

Detects the creation of a macro file for Outlook.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

117d3d3a-755c-4a61-b23e-9171146d094c

Status

test

Level

high

Type

Detection

Created

Wed Feb 08

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.command-and-controlattack.t1137attack.t1008attack.t1546

View on GitHub