Potential Persistence Via Outlook Home Page

calendar Aug 17, 2023 · attack.persistence attack.t1112  ·
Share on: linkedin copy

Detects potential persistence activity via outlook home pages.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Outlook Home Page
 2id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
 3status: experimental
 4description: Detects potential persistence activity via outlook home pages.
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
 7    - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
 8author: Tobias Michalski (Nextron Systems)
 9date: 2021/06/09
10modified: 2023/08/17
11tags:
12    - attack.persistence
13    - attack.t1112
14logsource:
15    product: windows
16    category: registry_set
17detection:
18    selection_1:
19        TargetObject|contains:
20            - '\Software\Microsoft\Office\'
21            - '\Outlook\WebView\'
22        TargetObject|endswith: '\URL'
23    selection_2:
24        TargetObject|contains:
25            - '\Calendar\'
26            - '\Inbox\'
27    condition: all of selection_*
28fields:
29    - Details
30falsepositives:
31    - Unknown
32level: high

References

  • Hunting for persistence via Microsoft Exchange Server or Outlook

    Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.


    Read More

  • Outlook Home Page feature is missing in folder properties - Microsoft Support

    Last Updated: October 25, 2017 ISSUE After installing the October Public Update, folder home pages no longer appear and the Home Page feature is missing in Outlook folder properties. This feature w...


    Read More

Related rules

to-top