Rule Info
Name
Suspicious COM CLSID Registry Value Set By Outlook.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the creation of a COM CLSID pointing to a DLL file residing in the Outlook Forms directory.
This is could potentially indicate the installation of a malicious Outlook Form.
Investigate further action executed during this time frame and look for a DLL being dropped to disk and then that same DLL being loaded by the Outlook process.
Date
2024-03-12 00:00:00
Modified
None
Id
7f812f92-eccd-4a2c-8f93-aefc8add99b0
Tags
attack.persistence
Type
Nextron Sigma feed only (private)