Detectionhightest

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Wed Feb 08Updated Thu Aug 176763c6c8-bd01-4687-bc8d-4fa52cf8ba08windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|endswith: '\Outlook\Security\EnableUnsafeClientMailRules'
        Details: 'DWORD (0x00000001)'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

support.microsoft.com

Resolving title…

speakerdeck.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1112 · Modify Registry

Related Rules

SimilarDetectionmedium

Outlook Security Settings Updated - Registry

Detects changes to the registry values related to outlook security settings

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionhigh

Outlook EnableUnsafeClientMailRules Setting Enabled

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

6763c6c8-bd01-4687-bc8d-4fa52cf8ba08

Status

test

Level

high

Type

Detection

Created

Wed Feb 08

Modified

Thu Aug 17

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/registry/registry_set/registry_set_office_outlook_enable_unsafe_client_mail_rules.yml

Raw Tags

attack.persistenceattack.defense-evasionattack.t1112

View on GitHub