Suspicious Remote Child Process From Outlook

calendar Oct 18, 2023 · attack.execution attack.t1059 attack.t1202  ·
Share on: linkedin copy

Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).

Sigma rule (View on GitHub)

 1title: Suspicious Remote Child Process From Outlook
 2id: e212d415-0e93-435f-9e1a-f29005bb4723
 3related:
 4    - id: 208748f7-881d-47ac-a29c-07ea84bf691d # Outlook Child Processes
 5      type: similar
 6status: test
 7description: Detects a suspicious child process spawning from Outlook where the image is located in a remote location (SMB/WebDav shares).
 8references:
 9    - https://github.com/sensepost/ruler
10    - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
11    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49
12author: Markus Neis, Nasreddine Bencherchali (Nextron Systems)
13date: 2018/12/27
14modified: 2023/02/09
15tags:
16    - attack.execution
17    - attack.t1059
18    - attack.t1202
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        ParentImage|endswith: '\outlook.exe'
25        Image|startswith: '\\\\'
26    condition: selection
27falsepositives:
28    - Unknown
29level: high

References

  • GitHub - sensepost/ruler: A tool to abuse Exchange services

    A tool to abuse Exchange services. Contribute to sensepost/ruler development by creating an account on GitHub.


    Read More

  • OVERRULED: Containing a Potentially Destructive Adversary | Mandiant

    UPDATE (Jul. 3, 2019): On May 16, 2019 FireEye's Advanced Practices team attributed the remaining "suspected APT33 activity" (referred to as GroupB in this blog post) to APT33, operating at the beh...


    Read More

  • Hunting for persistence via Microsoft Exchange Server or Outlook

    Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.


    Read More

Related rules

to-top