Access To Windows Outlook Mail Files By Uncommon Application

Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

Sigma rule (View on GitHub)

 1title: Access To Windows Outlook Mail Files By Uncommon Application
 2id: fc3e237f-2fef-406c-b90d-b3ae7e02fa8f
 3status: experimental
 4description: |
 5    Detects file access requests to Windows Outlook Mail by uncommon processes.
 6    Could indicate potential attempt of credential stealing.
 7    Requires heavy baselining before usage    
 8references:
 9    - https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2
10    - https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows
11author: frack113
12date: 2024/05/10
13tags:
14    - attack.t1070.008
15    - attack.defense_evasion
16logsource:
17    category: file_access
18    product: windows
19    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
20detection:
21    selection_unistore:
22        FileName|contains: '\AppData\Local\Comms\Unistore\data'
23    selection_unistoredb:
24        FileName|endswith: '\AppData\Local\Comms\UnistoreDB\store.vol'
25    filter_main_system:
26        Image: 'System'
27    filter_main_generic:
28        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
29        Image|contains:
30            - ':\Program Files (x86)\'
31            - ':\Program Files\'
32            - ':\Windows\system32\'
33            - ':\Windows\SysWOW64\'
34    filter_optional_defender:
35        Image|contains: ':\ProgramData\Microsoft\Windows Defender\'
36        Image|endswith:
37            - '\MpCopyAccelerator.exe'
38            - '\MsMpEng.exe'
39    filter_optional_thor:
40        Image|endswith:
41            - '\thor64.exe'
42            - '\thor.exe'
43    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
44falsepositives:
45    - Antivirus, Anti-Spyware, Anti-Malware Software
46    - Backup software
47    - Legitimate software installed on partitions other than "C:\"
48    - Searching software such as "everything.exe"
49# Note: Increase after initial baseline
50level: low

References

Related rules

to-top