it is unusual to modify this feature on a windows system. although no false positives have been identified, use the provided filter macro to tune the search.

Techniques

Sample rules

Windows Outlook LoadMacroProviderOnBoot Persistence

source: splunk
technicques:
- T1112
- T1137

Description

The following analytic detects the modification of the Windows Registry key “LoadMacroProviderOnBoot” under Outlook. This enables automatic loading of macros, which could allow malicious scripts to run without notice. This detection leverages data from the Endpoint.Registry datamodel to search for this key being enabled. This activity is significant as it is commonly associated with some malware infections, indicating potential malicious intent to harvest email information.

Detection logic


| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry WHERE Registry.registry_path="*\\Outlook\\*" Registry.registry_value_name="LoadMacroProviderOnBoot" Registry.registry_value_data="0x00000001" by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product 
| `drop_dm_object_name(Registry)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_outlook_loadmacroprovideronboot_persistence_filter`