Detectionmediumtest

New Outlook Macro Created

Detects the creation of a macro file for Outlook.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

@scoubimtlCreated Mon Apr 05Updated Wed Feb 088c31f563-f9a7-450c-bfa8-35f8f32f1f61windows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        Image|endswith: '\outlook.exe'
        TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM'
    condition: selection

False Positives

User genuinely creates a VB Macro for their email

References

Resolving title…

mdsec.co.uk

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0011 · Command and Control

Techniques

T1137 · Office Application Startup T1008 · Fallback Channels T1546 · Event Triggered Execution

Related Rules

DerivedDetectionhigh

Suspicious Outlook Macro Created

Detects the creation of a macro file for Outlook.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

8c31f563-f9a7-450c-bfa8-35f8f32f1f61

Status

test

Level

medium

Type

Detection

Created

Mon Apr 05

Modified

Wed Feb 08

Author

@scoubimtl

Path

rules/windows/file/file_event/file_event_win_office_outlook_macro_creation.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.command-and-controlattack.t1137attack.t1008attack.t1546

View on GitHub