Potential Persistence Via Outlook Form
Detects the creation of a new Outlook form which can contain malicious code
Sigma rule (View on GitHub)
1title: Potential Persistence Via Outlook Form
2id: c3edc6a5-d9d4-48d8-930e-aab518390917
3status: test
4description: Detects the creation of a new Outlook form which can contain malicious code
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
7 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79
8 - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form
9 - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/
10author: Tobias Michalski (Nextron Systems)
11date: 2021/06/10
12modified: 2023/02/22
13tags:
14 - attack.persistence
15 - attack.t1137.003
16logsource:
17 product: windows
18 category: file_event
19detection:
20 selection:
21 Image|endswith: '\outlook.exe'
22 TargetFilename|contains:
23 - '\AppData\Local\Microsoft\FORMS\IPM'
24 - '\Local Settings\Application Data\Microsoft\Forms' # Windows XP
25 condition: selection
26falsepositives:
27 - Legitimate use of outlook forms
28level: high
References
-
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.
Read More -
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.
Read More -
-
When Microsoft Outlook forms are giving your problems, you may need to clear Outlook's Forms Cache.
Read More
Related rules
- Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
- Change Default File Association To Executable Via Assoc
- File Creation In Suspicious Directory By Msdt.EXE
- File Download Via Bitsadmin To An Uncommon Target Folder
- PSEXEC Remote Execution File Artefact