Potential Persistence Via Outlook Home Page

Detects potential persistence activity via outlook home pages.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Outlook Home Page
 2id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
 3status: test
 4description: Detects potential persistence activity via outlook home pages.
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
 7    - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
 8author: Tobias Michalski (Nextron Systems)
 9date: 2021/06/09
10modified: 2023/08/17
11tags:
12    - attack.persistence
13    - attack.t1112
14logsource:
15    product: windows
16    category: registry_set
17detection:
18    selection_1:
19        TargetObject|contains:
20            - '\Software\Microsoft\Office\'
21            - '\Outlook\WebView\'
22        TargetObject|endswith: '\URL'
23    selection_2:
24        TargetObject|contains:
25            - '\Calendar\'
26            - '\Inbox\'
27    condition: all of selection_*
28fields:
29    - Details
30falsepositives:
31    - Unknown
32level: high

References

Related rules

to-top