Suspicious Inter-Process Communication via Outlook
Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/11"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.4.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect
13sensitive information or send email on their behalf via API.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Inter-Process Communication via Outlook"
20references = [
21 "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1",
22]
23risk_score = 47
24rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"]
27type = "eql"
28
29query = '''
30sequence with maxspan=1m
31[process where host.os.type == "windows" and event.action == "start" and
32 (
33 process.name : (
34 "rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe",
35 "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe"
36 ) or
37 (
38 (process.code_signature.trusted == false or process.code_signature.exists == false) and
39 (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)
40 )
41 )
42] by process.executable
43[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
44 process.Ext.effective_parent.name != null] by process.Ext.effective_parent.executable
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1114"
52name = "Email Collection"
53reference = "https://attack.mitre.org/techniques/T1114/"
54
55[[rule.threat.technique.subtechnique]]
56id = "T1114.001"
57name = "Local Email Collection"
58reference = "https://attack.mitre.org/techniques/T1114/001/"
59
60
61[rule.threat.tactic]
62id = "TA0009"
63name = "Collection"
64reference = "https://attack.mitre.org/tactics/TA0009/"
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69
70[[rule.threat.technique]]
71id = "T1559"
72name = "Inter-Process Communication"
73reference = "https://attack.mitre.org/techniques/T1559/"
74
75[[rule.threat.technique.subtechnique]]
76id = "T1559.001"
77name = "Component Object Model"
78reference = "https://attack.mitre.org/techniques/T1559/001/"
79
80
81[rule.threat.tactic]
82id = "TA0002"
83name = "Execution"
84reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. - center-for-threat-informed-defense/adversary_emulation_library
Read More
Related rules
- Encrypting Files with WinRar or 7z
- Exporting Exchange Mailbox via PowerShell
- Account Discovery Command via SYSTEM Account
- AdFind Command Activity
- Adding Hidden File Attribute via Attrib