Outlook Home Page Registry Modification
Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/01"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/08/01"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and
11control or persistence.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Outlook Home Page Registry Modification"
18references = [
19 "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/",
20 "https://github.com/trustedsec/specula"
21]
22risk_score = 47
23rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Command and Control",
30 "Tactic: Persistence",
31 "Data Source: Elastic Endgame",
32 "Data Source: Elastic Defend",
33 "Data Source: Sysmon"
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and
40 registry.path : (
41 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
42 "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
43 "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL"
44 ) and registry.data.strings : "*http*"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50
51[rule.threat.tactic]
52id = "TA0011"
53name = "Command and Control"
54reference = "https://attack.mitre.org/tactics/TA0011/"
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1137"
60name = "Office Application Startup"
61reference = "https://attack.mitre.org/techniques/T1137/"
62[[rule.threat.technique.subtechnique]]
63id = "T1137.004"
64name = "Outlook Home Page"
65reference = "https://attack.mitre.org/techniques/T1137/004/"
66
67
68
69[rule.threat.tactic]
70id = "TA0003"
71name = "Persistence"
72reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Adobe Hijack Persistence
- Persistence via BITS Job Notify Cmdline
- Persistence via Scheduled Job Creation
- Port Forwarding Rule Addition