Suspicious Inter-Process Communication via Outlook

  1[metadata]
  2creation_date = "2023/01/11"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/14"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may
 11target user email to collect sensitive information or send email on their behalf via API.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Inter-Process Communication via Outlook"
 18references = [
 19    "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Archive/CALDERA_DIY/evals/payloads/stepSeventeen_email.ps1",
 20]
 21risk_score = 47
 22rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1"
 23severity = "medium"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Collection",
 29    "Data Source: Elastic Defend",
 30    "Resources: Investigation Guide",
 31]
 32type = "eql"
 33
 34query = '''
 35sequence with maxspan=1m
 36[process where host.os.type == "windows" and event.action == "start" and
 37  (
 38    process.name : (
 39      "rundll32.exe", "mshta.exe", "powershell.exe", "pwsh.exe",
 40      "cmd.exe", "regsvr32.exe", "cscript.exe", "wscript.exe"
 41    ) or
 42    (
 43      (process.code_signature.trusted == false or process.code_signature.exists == false) and
 44      (process.Ext.relative_file_creation_time <= 500 or process.Ext.relative_file_name_modify_time <= 500)
 45    )
 46  )
 47] by process.entity_id
 48[process where host.os.type == "windows" and event.action == "start" and process.name : "OUTLOOK.EXE" and
 49  process.Ext.effective_parent.name != null] by process.Ext.effective_parent.entity_id
 50'''
 51note = """## Triage and analysis
 52
 53> **Disclaimer**:
 54> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 55
 56### Investigating Suspicious Inter-Process Communication via Outlook
 57
 58Outlook's integration with the Component Object Model (COM) allows processes to automate tasks like sending emails. Adversaries exploit this by using unusual processes to interact with Outlook, potentially to exfiltrate data or send unauthorized emails. The detection rule identifies such anomalies by monitoring for unexpected processes initiating communication with Outlook, especially those lacking trusted signatures or recently modified, indicating potential malicious activity.
 59
 60### Possible investigation steps
 61
 62- Review the process entity ID to identify the specific process that initiated communication with Outlook and determine if it is one of the unusual processes listed, such as rundll32.exe, mshta.exe, or powershell.exe.
 63- Check the code signature status of the initiating process. If the process is unsigned or has an untrusted signature, investigate the source and legitimacy of the executable.
 64- Analyze the relative file creation and modification times of the initiating process. If the process was created or modified recently (within 500 seconds), it may indicate a newly introduced or altered executable, warranting further scrutiny.
 65- Investigate the effective parent process of OUTLOOK.EXE to understand the context of how Outlook was launched. Determine if the parent process is expected or if it is an unusual or suspicious process.
 66- Correlate the alert with any recent user activity or changes on the host to identify potential user actions or system changes that could explain the process behavior.
 67- Examine any network activity associated with the initiating process to identify potential data exfiltration or unauthorized email sending attempts.
 68- Review any additional alerts or logs related to the host or user account to identify patterns or additional indicators of compromise.
 69
 70### False positive analysis
 71
 72- Legitimate administrative scripts or tools may trigger the rule if they use processes like PowerShell or cmd.exe to automate tasks involving Outlook. To manage this, identify and whitelist these scripts or tools by their specific file paths or hashes.
 73- Software updates or installations might cause processes to appear as recently modified, leading to false positives. Regularly update the list of trusted software and exclude these known update processes from triggering alerts.
 74- Custom in-house applications that interact with Outlook for business purposes may be flagged. Ensure these applications are signed with a trusted certificate or add them to an exception list based on their unique identifiers.
 75- Security tools or monitoring software that perform regular checks on Outlook might be misidentified. Verify these tools and exclude them by their process names or signatures to prevent unnecessary alerts.
 76
 77### Response and remediation
 78
 79- Immediately isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 80- Terminate any suspicious processes identified in the alert, particularly those interacting with Outlook, such as rundll32.exe, mshta.exe, or powershell.exe.
 81- Conduct a thorough review of the email account associated with the affected Outlook process to identify any unauthorized access or email activity. Reset the account credentials if necessary.
 82- Analyze the process code signatures and file modification times to determine if any legitimate applications have been compromised. Reinstall or update these applications as needed.
 83- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 84- Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the suspicious activity.
 85- Review and update endpoint protection policies to ensure that similar threats are detected and blocked in the future, leveraging the MITRE ATT&CK framework for guidance on email collection techniques."""
 86
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90[[rule.threat.technique]]
 91id = "T1114"
 92name = "Email Collection"
 93reference = "https://attack.mitre.org/techniques/T1114/"
 94[[rule.threat.technique.subtechnique]]
 95id = "T1114.001"
 96name = "Local Email Collection"
 97reference = "https://attack.mitre.org/techniques/T1114/001/"
 98
 99
100
101[rule.threat.tactic]
102id = "TA0009"
103name = "Collection"
104reference = "https://attack.mitre.org/tactics/TA0009/"
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1559"
109name = "Inter-Process Communication"
110reference = "https://attack.mitre.org/techniques/T1559/"
111[[rule.threat.technique.subtechnique]]
112id = "T1559.001"
113name = "Component Object Model"
114reference = "https://attack.mitre.org/techniques/T1559/001/"
115
116
117
118[rule.threat.tactic]
119id = "TA0002"
120name = "Execution"
121reference = "https://attack.mitre.org/tactics/TA0002/"