Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting

Hunt Hypothesis

Detects the modification of Outlook setting “LoadMacroProviderOnBoot” which if enabled allows the automatic loading of any configured VBA project/module

Detection Rule

Sigma (Original)

title: Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting
id: 396ae3eb-4174-4b9b-880e-dc0364d78a19
status: test
description: Detects the modification of Outlook setting "LoadMacroProviderOnBoot" which if enabled allows the automatic loading of any configured VBA project/module
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
    - https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2021-04-05
modified: 2023-08-17
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.command-and-control
    - attack.t1137
    - attack.t1008
    - attack.t1546
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|endswith: '\Outlook\LoadMacroProviderOnBoot'
        Details|contains: '0x00000001'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Outlook\\LoadMacroProviderOnBoot" and RegistryValueData contains "0x00000001"

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Outlook\\LoadMacroProviderOnBoot" and RegistryValueData contains "0x00000001"

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Tactic: Privilege Escalation
• Tactic: Persistence
• Tactic: Command and Control
• Technique: T1137 — T1137
• Technique: T1008 — T1008
• Technique: T1546 — T1546

References

• https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53
• https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/
• SigmaHQ Rule