Potential Persistence Via Outlook Today Page

 1title: Potential Persistence Via Outlook Today Page
 2id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
 3related:
 4    - id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
 5      type: similar
 6status: test
 7description: |
 8    Detects potential persistence activity via outlook today page.
 9    An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".    
10references:
11    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
12    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
13author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
14date: 2021-06-10
15modified: 2024-08-07
16tags:
17    - attack.persistence
18    - attack.t1112
19logsource:
20    product: windows
21    category: registry_set
22detection:
23    selection_main:
24        TargetObject|contains|all:
25            - 'Software\Microsoft\Office\'
26            - '\Outlook\Today\'
27    selection_value_stamp:
28        TargetObject|endswith: '\Stamp'
29        Details: 'DWORD (0x00000001)'
30    selection_value_url:
31        TargetObject|endswith:
32            - '\URL'
33            - '\UserDefinedUrl'
34    filter_main_office:
35        Image|startswith:
36            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
37            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
38        Image|endswith: '\OfficeClickToRun.exe'
39    condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
40falsepositives:
41    - Unknown
42level: high

References

• Hunting for persistence via Microsoft Exchange Server or Outlook

  

  Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired targ…

  
  Read More

• Specula - Turning Outlook Into a C2 With One Registry Change

  

  There exist a few singular Registry changes that any non-privileged user can make that transform the Outlook email client into a beaconing C2 agent. Given that outlook.exe is a trusted process, thi...

  
  Read More

Related rules

• CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
• FlowCloud Registry Markers
• OilRig APT Activity
• OilRig APT Registry Persistence
• OilRig APT Schedule Task Persistence - Security