Outlook Home Page Registry Modification
Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/01"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and
13control or persistence.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Outlook Home Page Registry Modification"
20references = [
21 "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/",
22 "https://github.com/trustedsec/specula"
23]
24risk_score = 47
25rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6"
26severity = "medium"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Command and Control",
32 "Tactic: Persistence",
33 "Data Source: Elastic Endgame",
34 "Data Source: Elastic Defend",
35 "Data Source: Sysmon",
36 "Data Source: Microsoft Defender for Endpoint",
37 "Data Source: SentinelOne",
38]
39timestamp_override = "event.ingested"
40type = "eql"
41
42query = '''
43registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and
44 registry.path : (
45 "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
46 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
47 "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
48 "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
49 "USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL"
50 ) and registry.data.strings : "*http*"
51'''
52
53
54[[rule.threat]]
55framework = "MITRE ATT&CK"
56
57[rule.threat.tactic]
58id = "TA0011"
59name = "Command and Control"
60reference = "https://attack.mitre.org/tactics/TA0011/"
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1137"
66name = "Office Application Startup"
67reference = "https://attack.mitre.org/techniques/T1137/"
68[[rule.threat.technique.subtechnique]]
69id = "T1137.004"
70name = "Outlook Home Page"
71reference = "https://attack.mitre.org/techniques/T1137/004/"
72
73
74
75[rule.threat.tactic]
76id = "TA0003"
77name = "Persistence"
78reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
Attackers have a dirty little secret that is being used to conduct big intrusions. We’ll explain how they're "unpatching" an exploit and then provide new Outlook hardening guidance that is not avai...
Read More -
Related rules
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Browser Extension Install
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service