From 343e50a39d17820cf40a3f6118a3624f68c153c4 Mon Sep 17 00:00:00 2001
From: Fplyth0ner <fplyth0ner@qq.com>
Date: Sun, 11 Sep 2022 00:20:55 +0800
Subject: [PATCH] Update action.py
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a new detect rule is named “已知Outlook模板宏持久化行为”.
---
 Server/rules/py/action.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Server/rules/py/action.py b/Server/rules/py/action.py
index e534db6..70959d8 100644
--- a/Server/rules/py/action.py
+++ b/Server/rules/py/action.py
@@ -1,4 +1,11 @@
 rule = [
+    {
+        'rules': [
+            'action == "filecreate" and targetfilename =~ "c:\\users\\.*\\appdata\\roaming\\microsoft\\outlook\\vbaproject.otm"'
+        ],
+        'score': 300,
+        'name': '已知Outlook模板宏持久化行为'
+    },
     {
         'rules': [
             'action == "processaccess" and targetimage =~ ".*lsass.exe" and grantedaccess & 0x0010 and sourceimage =~ ".*rundll32.exe"',