Outlook Home Page Registry Modification

Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/08/01"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/08/01"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and
11control or persistence.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Outlook Home Page Registry Modification"
18references = [
19    "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/",
20    "https://github.com/trustedsec/specula"
21]
22risk_score = 47
23rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6"
24severity = "medium"
25tags = [
26    "Domain: Endpoint",
27    "OS: Windows",
28    "Use Case: Threat Detection",
29    "Tactic: Command and Control",
30    "Tactic: Persistence",
31    "Data Source: Elastic Endgame",
32    "Data Source: Elastic Defend",
33    "Data Source: Sysmon"
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and
40    registry.path : (
41        "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
42        "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
43        "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL"
44    ) and registry.data.strings : "*http*"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50
51[rule.threat.tactic]
52id = "TA0011"
53name = "Command and Control"
54reference = "https://attack.mitre.org/tactics/TA0011/"
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1137"
60name = "Office Application Startup"
61reference = "https://attack.mitre.org/techniques/T1137/"
62[[rule.threat.technique.subtechnique]]
63id = "T1137.004"
64name = "Outlook Home Page"
65reference = "https://attack.mitre.org/techniques/T1137/004/"
66
67
68
69[rule.threat.tactic]
70id = "TA0003"
71name = "Persistence"
72reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top