Potential Persistence Via Outlook Home Page
Detects potential persistence activity via outlook home pages.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Outlook Home Page
2id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
3status: experimental
4description: Detects potential persistence activity via outlook home pages.
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
7 - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
8author: Tobias Michalski (Nextron Systems)
9date: 2021/06/09
10modified: 2023/08/17
11tags:
12 - attack.persistence
13 - attack.t1112
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection_1:
19 TargetObject|contains:
20 - '\Software\Microsoft\Office\'
21 - '\Outlook\WebView\'
22 TargetObject|endswith: '\URL'
23 selection_2:
24 TargetObject|contains:
25 - '\Calendar\'
26 - '\Inbox\'
27 condition: all of selection_*
28fields:
29 - Details
30falsepositives:
31 - Unknown
32level: high
References
Related rules
- Potential Persistence Via Outlook Today Pages
- Winlogon AllowMultipleTSSessions Enable
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security
- Potential Persistence Via Event Viewer Events.asp