From f3bcffeb0a72bca185739317eaab1b1ba97566df Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Tue, 27 Jul 2021 09:58:00 +0200
Subject: [PATCH] Tune false positive

---
 .../windows/registry_event/sysmon_office_vsto_persistence.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml
index 8eac61ee8..c8dbeb08a 100644
--- a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml
+++ b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml
@@ -4,17 +4,19 @@ status: experimental
 description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
 references:
     - https://twitter.com/_vivami/status/1347925307643355138
+    - https://vanmieghem.io/stealth-outlook-persistence/
 tags:
     - attack.t1137.006
     - attack.persistence
 author: Bhabesh Raj
 date: 2021/01/10
-modified: 2021/06/01
+modified: 2021/07/27
 logsource:
     category: registry_event
     product: windows
 detection:
     selection:
+        EventType: SetValue
         TargetObject|contains:
         - '\Software\Microsoft\Office\Outlook\Addins\'
         - '\Software\Microsoft\Office\Word\Addins\'