Suspicious Outlook Child Process

calendar Aug 12, 2024 · attack.execution attack.t1204.002  ·
Share on: linkedin copy

Detects a suspicious process spawning from an Outlook process.

Sigma rule (View on GitHub)

 1title: Suspicious Outlook Child Process
 2id: 208748f7-881d-47ac-a29c-07ea84bf691d
 3related:
 4    - id: 438025f9-5856-4663-83f7-52f878a70a50 # Office Child Processes
 5      type: derived
 6    - id: e212d415-0e93-435f-9e1a-f29005bb4723 # Outlook Remote Child Process
 7      type: derived
 8status: test
 9description: Detects a suspicious process spawning from an Outlook process.
10references:
11    - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
12    - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
13author: Michael Haag, Florian Roth (Nextron Systems), Markus Neis, Elastic, FPT.EagleEye Team
14date: 2022-02-28
15modified: 2023-02-04
16tags:
17    - attack.execution
18    - attack.t1204.002
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\OUTLOOK.EXE'
25        Image|endswith:
26            - '\AppVLP.exe'
27            - '\bash.exe'
28            - '\cmd.exe'
29            - '\cscript.exe'
30            - '\forfiles.exe'
31            - '\hh.exe'
32            - '\mftrace.exe'
33            - '\msbuild.exe'        # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
34            - '\msdt.exe'           # CVE-2022-30190
35            - '\mshta.exe'
36            - '\msiexec.exe'
37            - '\powershell.exe'
38            - '\pwsh.exe'
39            - '\regsvr32.exe'
40            - '\schtasks.exe'
41            - '\scrcons.exe'
42            - '\scriptrunner.exe'
43            - '\sh.exe'
44            - '\svchost.exe'        # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html
45            - '\wmic.exe'           # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
46            - '\wscript.exe'
47            # Several FPs with rundll32.exe
48            # We started excluding specific use cases and ended up commenting out the rundll32.exe sub processes completely
49            # - '\rundll32.exe'
50            # filter_outlook_photoviewer:  # https://twitter.com/Luke_Hamp/status/1495919717760237568
51            #   ParentImage|endswith: '\OUTLOOK.EXE'
52            #   Image|endswith: '\rundll32.exe'
53            #   CommandLine|contains: '\PhotoViewer.dll'
54            # filter_outlook_printattachments:  # https://twitter.com/KickaKamil/status/1496238278659485696
55            #   ParentImage|endswith: '\OUTLOOK.EXE'
56            #   Image|endswith: '\rundll32.exe'
57            #   CommandLine|contains|all:
58            #     - 'shell32.dll,Control_RunDLL'
59            #     - '\SYSTEM32\SPOOL\DRIVERS\'
60    condition: selection # and not 1 of filter*
61fields:
62    - CommandLine
63    - ParentCommandLine
64falsepositives:
65    - Unknown
66level: high

References

Related rules

to-top