Suspicious Inter-Process Communication via Outlook
Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/11"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/06/20"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may
11target user email to collect sensitive information or send email on their behalf via API.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Inter-Process Communication via Outlook"
18references = [
19 "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1",
20]
21risk_score = 47
22rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Collection",
29 "Data Source: Elastic Defend",
30]
31type = "eql"
32
33query = '''
34sequence with maxspan=1m
35[process where host.os.type == "windows" and event.action == "start" and
36 (
37 process.name : (
38 "rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe",
39 "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe"
40 ) or
41 (
42 (process.code_signature.trusted == false or process.code_signature.exists == false) and
43 (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)
44 )
45 )
46] by process.entity_id
47[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
48 process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1114"
56name = "Email Collection"
57reference = "https://attack.mitre.org/techniques/T1114/"
58[[rule.threat.technique.subtechnique]]
59id = "T1114.001"
60name = "Local Email Collection"
61reference = "https://attack.mitre.org/techniques/T1114/001/"
62
63
64
65[rule.threat.tactic]
66id = "TA0009"
67name = "Collection"
68reference = "https://attack.mitre.org/tactics/TA0009/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1559"
73name = "Inter-Process Communication"
74reference = "https://attack.mitre.org/techniques/T1559/"
75[[rule.threat.technique.subtechnique]]
76id = "T1559.001"
77name = "Component Object Model"
78reference = "https://attack.mitre.org/techniques/T1559/001/"
79
80
81
82[rule.threat.tactic]
83id = "TA0002"
84name = "Execution"
85reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. - center-for-threat-informed-defense/adversary_emulation_library
Read More
Related rules
- Potential Masquerading as Communication Apps
- Delayed Execution via Ping
- Execution from a Removable Media with Network Connection
- Expired or Revoked Driver Loaded
- First Time Seen Driver Loaded