Outlook Task/Note Reminder Received
Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
Sigma rule (View on GitHub)
1title: Outlook Task/Note Reminder Received
2id: fc06e655-d98c-412f-ac76-05c2698b1cb2
3status: experimental
4description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
5references:
6 - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/04/05
9modified: 2023/08/17
10tags:
11 - attack.persistence
12 - attack.t1137
13 - cve.2023.23397
14 - detection.emerging_threats
15logsource:
16 category: registry_set
17 product: windows
18detection:
19 selection:
20 TargetObject|contains|all:
21 - '\SOFTWARE\Microsoft\Office\'
22 - '\Outlook\'
23 TargetObject|contains:
24 - '\Tasks\'
25 - '\Notes\'
26 condition: selection
27falsepositives:
28 - Legitimate reminders received for a task or a note will also trigger this rule.
29level: low
References
Related rules
- IE Change Domain Zone
- Outlook Macro Execution Without Warning Setting Enabled
- Outlook Security Settings Updated - Registry
- Potential COLDSTEEL RAT Windows User Creation
- Potential Encrypted Registry Blob Related To SNAKE Malware