Potential Persistence Via Outlook Today Page

 1title: Potential Persistence Via Outlook Today Page
 2id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
 3related:
 4    - id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
 5      type: similar
 6status: test
 7description: |
 8    Detects potential persistence activity via outlook today page.
 9    An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".    
10references:
11    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
12    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
13author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
14date: 2021-06-10
15modified: 2024-08-07
16tags:
17    - attack.defense-evasion
18    - attack.persistence
19    - attack.t1112
20logsource:
21    product: windows
22    category: registry_set
23detection:
24    selection_main:
25        TargetObject|contains|all:
26            - 'Software\Microsoft\Office\'
27            - '\Outlook\Today\'
28    selection_value_stamp:
29        TargetObject|endswith: '\Stamp'
30        Details: 'DWORD (0x00000001)'
31    selection_value_url:
32        TargetObject|endswith:
33            - '\URL'
34            - '\UserDefinedUrl'
35    filter_main_office:
36        Image|startswith:
37            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
38            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
39        Image|endswith: '\OfficeClickToRun.exe'
40    condition: selection_main and 1 of selection_value_* and not 1 of filter_main_*
41falsepositives:
42    - Unknown
43level: high

References

• Hunting for persistence via Microsoft Exchange Server or Outlook

  

  Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired targ…

  
  Read More

• Specula - Turning Outlook Into a C2 With One Registry Change

  

  There exist a few singular Registry changes that any non-privileged user can make that transform the Outlook email client into a beaconing C2 agent. Given that outlook.exe is a trusted process, thi...

  
  Read More

Related rules

• Activate Suppression of Windows Security Center Notifications
• Add DisallowRun Execution to Registry
• Allow RDP Remote Assistance Feature
• Blackbyte Ransomware Registry
• Blue Mockingbird