Outlook Home Page Registry Modification
Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and control or persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/08/01"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies modifications in registry keys associated with abuse of the Outlook Home Page functionality for command and
13control or persistence.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Outlook Home Page Registry Modification"
20references = [
21 "https://cloud.google.com/blog/topics/threat-intelligence/breaking-the-rules-tough-outlook-for-home-page-attacks/",
22 "https://github.com/trustedsec/specula"
23]
24risk_score = 47
25rule_id = "ac5a2759-5c34-440a-b0c4-51fe674611d6"
26severity = "medium"
27tags = [
28 "Domain: Endpoint",
29 "OS: Windows",
30 "Use Case: Threat Detection",
31 "Tactic: Command and Control",
32 "Tactic: Persistence",
33 "Data Source: Elastic Endgame",
34 "Data Source: Elastic Defend",
35 "Data Source: Sysmon",
36 "Data Source: Microsoft Defender for Endpoint",
37 "Data Source: SentinelOne",
38 "Resources: Investigation Guide",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44registry where host.os.type == "windows" and event.action != "deletion" and registry.value : "URL" and
45 registry.path : (
46 "HKCU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
47 "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
48 "HKU\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
49 "\\REGISTRY\\USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL",
50 "USER\\*\\SOFTWARE\\Microsoft\\Office\\*\\Outlook\\Webview\\Inbox\\URL"
51 ) and registry.data.strings : "*http*"
52'''
53note = """## Triage and analysis
54
55> **Disclaimer**:
56> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
57
58### Investigating Outlook Home Page Registry Modification
59
60The Outlook Home Page feature allows users to set a webpage as the default view for folders, leveraging registry keys to store URL configurations. Adversaries exploit this by modifying these keys to redirect to malicious sites, enabling command and control or persistence. The detection rule identifies suspicious registry changes, focusing on URL entries within specific paths, flagging potential misuse for further investigation.
61
62### Possible investigation steps
63
64- Review the registry path and value to confirm the presence of a suspicious URL entry in the specified registry paths, such as "HKCU\\\\*\\\\SOFTWARE\\\\Microsoft\\\\Office\\\\*\\\\Outlook\\\\Webview\\\\Inbox\\\\URL".
65- Investigate the URL found in the registry data strings to determine if it is known to be malicious or associated with suspicious activity.
66- Check the modification history of the registry key to identify when the change occurred and which user or process made the modification.
67- Correlate the registry modification event with other security events on the host, such as network connections or process executions, to identify potential malicious activity.
68- Assess the affected system for signs of compromise, including unusual network traffic or unauthorized access attempts, to determine the scope of the incident.
69- Consult threat intelligence sources to see if the URL or related indicators are associated with known threat actors or campaigns.
70
71### False positive analysis
72
73- Legitimate software updates or installations may modify the registry keys associated with Outlook's Home Page feature. Users can create exceptions for known software update processes to prevent unnecessary alerts.
74- Custom scripts or administrative tools used by IT departments to configure Outlook settings across multiple machines might trigger this rule. Identifying and excluding these trusted scripts or tools can reduce false positives.
75- Some third-party Outlook add-ins or plugins may alter the registry keys for legitimate purposes. Users should verify the legitimacy of these add-ins and whitelist them if they are deemed safe.
76- Automated backup or recovery solutions that restore Outlook settings might cause registry changes. Users can exclude these processes if they are part of a regular and secure backup routine.
77
78### Response and remediation
79
80- Immediately isolate the affected system from the network to prevent further communication with potentially malicious sites.
81- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the modified registry keys.
82- Restore the modified registry keys to their default values to remove the malicious URL configuration.
83- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats.
84- Review and analyze network logs to identify any outbound connections to suspicious domains or IP addresses, and block these at the firewall.
85- Escalate the incident to the security operations center (SOC) for further investigation and to determine if other systems are affected.
86- Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and network activity."""
87
88
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91
92[rule.threat.tactic]
93id = "TA0011"
94name = "Command and Control"
95reference = "https://attack.mitre.org/tactics/TA0011/"
96
97[[rule.threat]]
98framework = "MITRE ATT&CK"
99[[rule.threat.technique]]
100id = "T1137"
101name = "Office Application Startup"
102reference = "https://attack.mitre.org/techniques/T1137/"
103[[rule.threat.technique.subtechnique]]
104id = "T1137.004"
105name = "Outlook Home Page"
106reference = "https://attack.mitre.org/techniques/T1137/004/"
107
108
109
110[rule.threat.tactic]
111id = "TA0003"
112name = "Persistence"
113reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Outlook Home Page Registry Modification
The Outlook Home Page feature allows users to set a webpage as the default view for folders, leveraging registry keys to store URL configurations. Adversaries exploit this by modifying these keys to redirect to malicious sites, enabling command and control or persistence. The detection rule identifies suspicious registry changes, focusing on URL entries within specific paths, flagging potential misuse for further investigation.
Possible investigation steps
- Review the registry path and value to confirm the presence of a suspicious URL entry in the specified registry paths, such as "HKCU\\SOFTWARE\Microsoft\Office\\Outlook\Webview\Inbox\URL".
- Investigate the URL found in the registry data strings to determine if it is known to be malicious or associated with suspicious activity.
- Check the modification history of the registry key to identify when the change occurred and which user or process made the modification.
- Correlate the registry modification event with other security events on the host, such as network connections or process executions, to identify potential malicious activity.
- Assess the affected system for signs of compromise, including unusual network traffic or unauthorized access attempts, to determine the scope of the incident.
- Consult threat intelligence sources to see if the URL or related indicators are associated with known threat actors or campaigns.
False positive analysis
- Legitimate software updates or installations may modify the registry keys associated with Outlook's Home Page feature. Users can create exceptions for known software update processes to prevent unnecessary alerts.
- Custom scripts or administrative tools used by IT departments to configure Outlook settings across multiple machines might trigger this rule. Identifying and excluding these trusted scripts or tools can reduce false positives.
- Some third-party Outlook add-ins or plugins may alter the registry keys for legitimate purposes. Users should verify the legitimacy of these add-ins and whitelist them if they are deemed safe.
- Automated backup or recovery solutions that restore Outlook settings might cause registry changes. Users can exclude these processes if they are part of a regular and secure backup routine.
Response and remediation
- Immediately isolate the affected system from the network to prevent further communication with potentially malicious sites.
- Use endpoint detection and response (EDR) tools to terminate any suspicious processes associated with the modified registry keys.
- Restore the modified registry keys to their default values to remove the malicious URL configuration.
- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats.
- Review and analyze network logs to identify any outbound connections to suspicious domains or IP addresses, and block these at the firewall.
- Escalate the incident to the security operations center (SOC) for further investigation and to determine if other systems are affected.
- Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the threat, focusing on registry changes and network activity.
References
Related rules
- Attempt to Establish VScode Remote Tunnel
- Browser Extension Install
- Creation or Modification of a new GPO Scheduled Task or Service
- Image File Execution Options Injection
- Installation of Custom Shim Databases