heroui logo

Potential Persistence Via Outlook LoadMacroProviderOnBoot Setting

Sigma Rules

View Source
Summary
This detection rule identifies modifications to the Outlook setting "LoadMacroProviderOnBoot" in the Windows registry. When this setting is enabled (indicated by the value `0x00000001`), it allows the automatic loading of any configured Visual Basic for Applications (VBA) projects or modules each time Outlook starts. This behavior can be exploited by attackers to establish persistence on a system, thereby enabling the execution of malicious scripts without the user's knowledge. Monitoring for changes to this registry key is crucial for detecting potential backdoors or persistence mechanisms that utilize VBA scripts to execute commands or provide unauthorized access to malicious actors.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
Created: 2021-04-05