Detectionmediumtest

Outlook Security Settings Updated - Registry

Detects changes to the registry values related to outlook security settings

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Tue Dec 28Updated Fri Jan 09c3cefdf4-6703-4e1c-bad8-bf422fc5015awindows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains|all:
            - '\SOFTWARE\Microsoft\Office\'
            - '\Outlook\Security\'
    filter_main_outlook:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
        Image|endswith: '\OUTLOOK.EXE'
    condition: selection and not 1 of filter_main_*

False Positives

Administrative activity

References

MITRE ATT&CK

Tactics

TA0003 · Persistence

Techniques

T1137 · Office Application Startup

Related Rules

SimilarDetectionhigh

Outlook EnableUnsafeClientMailRules Setting Enabled - Registry

Detects an attacker trying to enable the outlook security setting "EnableUnsafeClientMailRules" which allows outlook to run applications or execute macros

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

c3cefdf4-6703-4e1c-bad8-bf422fc5015a

Status

test

Level

medium

Type

Detection

Created

Tue Dec 28

Modified

Fri Jan 09

Author

François Hubaut

Path

rules/windows/registry/registry_set/registry_set_office_outlook_security_settings.yml

Raw Tags

attack.persistenceattack.t1137

View on GitHub