Suspicious Inter-Process Communication via Outlook
Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/01/11"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/06/20"
6
7[rule]
8author = ["Elastic"]
9description = """
10Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may
11target user email to collect sensitive information or send email on their behalf via API.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Inter-Process Communication via Outlook"
18references = [
19 "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1",
20]
21risk_score = 47
22rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Collection",
29 "Data Source: Elastic Defend",
30]
31type = "eql"
32
33query = '''
34sequence with maxspan=1m
35[process where host.os.type == "windows" and event.action == "start" and
36 (
37 process.name : (
38 "rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe",
39 "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe"
40 ) or
41 (
42 (process.code_signature.trusted == false or process.code_signature.exists == false) and
43 (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)
44 )
45 )
46] by process.entity_id
47[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
48 process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1114"
56name = "Email Collection"
57reference = "https://attack.mitre.org/techniques/T1114/"
58[[rule.threat.technique.subtechnique]]
59id = "T1114.001"
60name = "Local Email Collection"
61reference = "https://attack.mitre.org/techniques/T1114/001/"
62
63
64
65[rule.threat.tactic]
66id = "TA0009"
67name = "Collection"
68reference = "https://attack.mitre.org/tactics/TA0009/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1559"
73name = "Inter-Process Communication"
74reference = "https://attack.mitre.org/techniques/T1559/"
75[[rule.threat.technique.subtechnique]]
76id = "T1559.001"
77name = "Component Object Model"
78reference = "https://attack.mitre.org/techniques/T1559/001/"
79
80
81
82[rule.threat.tactic]
83id = "TA0002"
84name = "Execution"
85reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Exporting Exchange Mailbox via PowerShell
- Encrypting Files with WinRar or 7z
- Unusual File Creation - Alternate Data Stream
- Microsoft Windows Defender Tampering
- Adobe Hijack Persistence