Merge pull request #3681 from splunk/notdoor_outlook_macros

NotDoor Outlook Macro Detections

Author: patel-bhavin

detections/endpoint/windows_outlook_dialogs_disabled_from_unusual_process.yml

@@ -0,0 +1,84 @@
+name: Windows Outlook Dialogs Disabled from Unusual Process
+id: 94e3ba29-6245-4f25-8d47-d5b6b34c40ac
+version: 1
+date: '2025-09-08'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: The following analytic detects the modification of the Windows Registry
+  key "PONT_STRING" under Outlook Options. This disables certain dialog popups,
+  which could allow malicious scripts to run without notice. This detection leverages data from
+  the Endpoint.Registry datamodel to search for this key changing from an unusual process. 
+  This activity is significant as it is commonly associated with some malware 
+  infections, indicating potential malicious intent to harvest email information.
+data_source:
+- Sysmon EventID 13
+search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry 
+  WHERE Registry.registry_path="*\\Outlook\\Options\\General*" Registry.registry_value_name="PONT_STRING" 
+  by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive 
+  Registry.registry_path Registry.registry_key_name Registry.registry_value_data 
+  Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user 
+  Registry.vendor_product | `drop_dm_object_name(Registry)`| join process_guid [| tstats
+  `security_content_summariesonly` count FROM datamodel=Endpoint.Processes WHERE NOT
+  (Processes.process_name = "Outlook.exe") by _time span=1h
+  Processes.action Processes.dest Processes.original_file_name
+  Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+  Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+  Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
+  Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path
+  Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)`]
+  | fields _time parent_process_name parent_process process_name process_path process
+  process_guid registry_path registry_value_name registry_value_data registry_key_name
+  action dest user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `windows_outlook_dialogs_disabled_from_unusual_process_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the registry value name, registry path, and registry value data from your
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
+  Sysmon TA. https://splunkbase.splunk.com/app/5709
+known_false_positives: It is unusual for processes other than Outlook to modify this 
+  feature on a Windows system since it is a default Outlook functionality. Although no 
+  false positives have been identified, use the provided filter macro to tune the search.
+references:
+- https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/
+- https://hackread.com/russian-apt28-notdoor-backdoor-microsoft-outlook/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Outlook Dialog registry key modified on $dest$ by unusual process
+  risk_objects:
+  - field: dest
+    type: system
+    score: 44
+  threat_objects: []
+tags:
+  analytic_story:
+  - NotDoor Malware
+  - Windows Registry Abuse
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1112
+  - T1562
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/notdoor/disable_dialogs/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
+

detections/endpoint/windows_outlook_loadmacroprovideronboot_persistence.yml

@@ -0,0 +1,74 @@
+name: Windows Outlook LoadMacroProviderOnBoot Persistence
+id: 93c91139-01f8-4905-802b-0d106f026b13
+version: 1
+date: '2025-09-09'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: The following analytic detects the modification of the Windows Registry
+  key "LoadMacroProviderOnBoot" under Outlook. This enables automatic loading of macros,
+  which could allow malicious scripts to run without notice. This detection leverages data from
+  the Endpoint.Registry datamodel to search for this key being enabled. 
+  This activity is significant as it is commonly associated with some malware 
+  infections, indicating potential malicious intent to harvest email information.
+data_source:
+- Sysmon EventID 13
+search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
+  WHERE Registry.registry_path="*\\Outlook\\*" Registry.registry_value_name="LoadMacroProviderOnBoot"
+  Registry.registry_value_data="0x00000001" by Registry.action
+  Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path
+  Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
+  Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
+  | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `windows_outlook_loadmacroprovideronboot_persistence_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the registry value name, registry path, and registry value data from your
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
+  Sysmon TA. https://splunkbase.splunk.com/app/5709
+known_false_positives: It is unusual to modify this feature on a Windows system. 
+  Although no false positives have been identified, use the provided filter macro
+  to tune the search.
+references:
+- https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/
+- https://hackread.com/russian-apt28-notdoor-backdoor-microsoft-outlook/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Outlook LoadMacroProviderOnBoot registry key modified on $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 54
+  threat_objects: []
+tags:
+  analytic_story:
+  - NotDoor Malware
+  - Windows Registry Abuse
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1112
+  - T1137
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/notdoor/loadmacroprovideronboot/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog
+

detections/endpoint/windows_outlook_macro_created_by_suspicious_process.yml

@@ -0,0 +1,78 @@
+name: Windows Outlook Macro Created by Suspicious Process
+id: 3ec347e3-a94a-4a8b-a918-8306ea403182
+version: 1
+date: '2025-09-09'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: The following analytic detects the creation of an Outlook Macro
+  (VbaProject.OTM) by a suspicious process. This file is normally created when you
+  create a macro from within Outlook. If this file is created by a process other than
+  Outlook.exe it may be maliciously created. This detection leverages data from
+  the Filesystem datamodel, specifically looking for the file creation event for
+  VbaProject.OTM. This activity is significant as it is commonly associated with 
+  some malware infections, indicating potential malicious intent to harvest email information. 
+data_source:
+- Sysmon EventID 11
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime values(Filesystem.file_create_time) as file_create_time from datamodel=Endpoint.Filesystem
+  where Filesystem.file_path="*Appdata\\Roaming\\Microsoft\\Outlook\\VbaProject.OTM" 
+  by Filesystem.action Filesystem.dest Filesystem.file_access_time
+  Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name
+  Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid
+  Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `windows_outlook_macro_created_by_suspicious_process_filter`'
+how_to_implement: You must be ingesting data that records file-system activity from
+  your hosts to populate the Endpoint file-system data-model node. If you are using
+  Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you
+  want to collect data.
+known_false_positives: Because this file are always created by Outlook in normal operations,
+  you should investigate all results.
+references:
+- https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/
+- https://hackread.com/russian-apt28-notdoor-backdoor-microsoft-outlook/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Suspicious Outlook macro $file_name$ created on $dest$
+  risk_objects:
+  - field: user
+    type: user
+    score: 70
+  - field: dest
+    type: system
+    score: 70
+  threat_objects:
+  - field: file_name
+    type: file_name
+tags:
+  analytic_story:
+  - NotDoor Malware
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1137
+  - T1059.005
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/notdoor/outlook_macro/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_outlook_macro_security_modified.yml

@@ -0,0 +1,75 @@
+name: Windows Outlook Macro Security Modified
+id: 47872bb4-9987-4c33-a897-4d2d1ac7d4c2
+version: 1
+date: '2025-09-08'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: The following analytic detects the modification of the Windows Registry
+  key "Level" under Outlook Security. This allows macros to execute without warning,
+  which could allow malicious scripts to run without notice. This detection leverages data from
+  the Endpoint.Registry datamodel, specifically looking for the registry value name
+  "Level" with a value of "0x00000001". This activity is significant
+  as it is commonly associated with some malware infections, indicating potential
+  malicious intent to harvest email information. 
+data_source:
+- Sysmon EventID 13
+search:  '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry
+  WHERE Registry.registry_path="*\\Outlook\\Security*" Registry.registry_value_name="Level"
+  Registry.registry_value_data="0x00000001" by Registry.action
+  Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path
+  Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name
+  Registry.registry_value_type Registry.status Registry.user Registry.vendor_product
+  | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `windows_outlook_macro_security_modified_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting
+  logs with the registry value name, registry path, and registry value data from your
+  endpoints. If you are using Sysmon, you must have at least version 2.0 of the official
+  Sysmon TA. https://splunkbase.splunk.com/app/5709
+known_false_positives: It is unusual to modify this feature on a Windows system since
+  it is a default security control, although it is not rare for some policies to disable
+  it. Although no false positives have been identified, use the provided filter macro
+  to tune the search.
+references:
+- https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/
+- https://hackread.com/russian-apt28-notdoor-backdoor-microsoft-outlook/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Outlook Macro Security Level registry modified on $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 44
+  threat_objects: []
+tags:
+  analytic_story:
+  - NotDoor Malware
+  - Windows Registry Abuse
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1137
+  - T1008
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/notdoor/macro_security_level/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

stories/notdoor_malware.yml

@@ -0,0 +1,27 @@
+name: NotDoor Malware
+id: 9f01c0ab-f057-477f-980b-ffb72beb10ab
+version: 1
+status: production
+date: '2025-09-09'
+author: Raven Tait, Splunk
+description: NotDoor is an Outlook backdoor associated with APT28 who is known for breaching 
+  organizations across multiple sectors in NATO member states. This analytical story harnesses 
+  targeted search methodologies to uncover and investigate activities that could be indicative
+  of NotDoor's presence. These activities include tracking file write operations for dropped macros, 
+  scrutinizing registry modifications aimed at establishing persistence mechanisms, 
+  monitoring suspicious processes, and other malicious actions.
+narrative: APT28, also known as Fancy Bear, blends stealth and expertise in its cyber operations. Affiliated with Russia's GRU, 
+  their latest campaign involved the malware, named NotDoor for its use of the term “Nothing” in its code, which is implemented
+  as a VBA macro for Outlook. It monitors incoming emails for a predefined trigger word, and upon detection, allows attackers
+  to exfiltrate data, upload files, and execute commands on the compromised system.
+references: 
+- https://lab52.io/blog/analyzing-notdoor-inside-apt28s-expanding-arsenal/
+- https://hackread.com/russian-apt28-notdoor-backdoor-microsoft-outlook/
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection