sigmaDRL-1.1from SigmaHQ/sigma
Potential Persistence Via Outlook Form
Detects the creation of a new Outlook form which can contain malicious code
Quality
98
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/windows/file/file_event/file_event_win_office_outlook_newform.yml
title: Potential Persistence Via Outlook Form
id: c3edc6a5-d9d4-48d8-930e-aab518390917
status: test
description: Detects the creation of a new Outlook form which can contain malicious code
references:
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
- https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
- https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
author: Tobias Michalski (Nextron Systems)
date: 2021-06-10
modified: 2023-02-22
tags:
- attack.persistence
- attack.t1137.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\outlook.exe'
TargetFilename|contains:
- '\AppData\Local\Microsoft\FORMS\IPM'
- '\Local Settings\Application Data\Microsoft\Forms' # Windows XP
condition: selection
falsepositives:
- Legitimate use of outlook forms
level: high