Suspicious Inter-Process Communication via Outlook

Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/01/11"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.4.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect
13sensitive information or send email on their behalf via API.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious Inter-Process Communication via Outlook"
20references = [
21    "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1",
22]
23risk_score = 47
24rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: Elastic Defend"]
27timestamp_override = "event.ingested"
28type = "eql"
29
30query = '''
31process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE"  and
32 process.Ext.effective_parent.name != null and
33 not process.Ext.effective_parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1114"
41name = "Email Collection"
42reference = "https://attack.mitre.org/techniques/T1114/"
43
44[[rule.threat.technique.subtechnique]]
45id = "T1114.001"
46name = "Local Email Collection"
47reference = "https://attack.mitre.org/techniques/T1114/001/"
48
49
50[rule.threat.tactic]
51id = "TA0009"
52name = "Collection"
53reference = "https://attack.mitre.org/tactics/TA0009/"
54
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58
59[[rule.threat.technique]]
60id = "T1559"
61name = "Inter-Process Communication"
62reference = "https://attack.mitre.org/techniques/T1559/"
63
64[[rule.threat.technique.subtechnique]]
65id = "T1559.001"
66name = "Component Object Model"
67reference = "https://attack.mitre.org/techniques/T1559/001/"
68
69
70[rule.threat.tactic]
71id = "TA0002"
72name = "Execution"
73reference = "https://attack.mitre.org/tactics/TA0002/"

References

Related rules

to-top