Suspicious Inter-Process Communication via Outlook
Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/11"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.4.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect
13sensitive information or send email on their behalf via API.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Inter-Process Communication via Outlook"
20references = [
21 "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1",
22]
23risk_score = 47
24rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
32 process.Ext.effective_parent.name != null and
33 not process.Ext.effective_parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1114"
41name = "Email Collection"
42reference = "https://attack.mitre.org/techniques/T1114/"
43
44[[rule.threat.technique.subtechnique]]
45id = "T1114.001"
46name = "Local Email Collection"
47reference = "https://attack.mitre.org/techniques/T1114/001/"
48
49
50[rule.threat.tactic]
51id = "TA0009"
52name = "Collection"
53reference = "https://attack.mitre.org/tactics/TA0009/"
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58
59[[rule.threat.technique]]
60id = "T1559"
61name = "Inter-Process Communication"
62reference = "https://attack.mitre.org/techniques/T1559/"
63
64[[rule.threat.technique.subtechnique]]
65id = "T1559.001"
66name = "Component Object Model"
67reference = "https://attack.mitre.org/techniques/T1559/001/"
68
69
70[rule.threat.tactic]
71id = "TA0002"
72name = "Execution"
73reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. - center-for-threat-informed-defense/adversary_emulation_library
Read More
Related rules
- Encrypting Files with WinRar or 7z
- Exporting Exchange Mailbox via PowerShell
- Account Discovery Command via SYSTEM Account
- AdFind Command Activity
- Adding Hidden File Attribute via Attrib