Potential Persistence Via Outlook Today Pages

Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Outlook Today Pages
 2id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
 3status: test
 4description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
 7author: Tobias Michalski (Nextron Systems)
 8date: 2021/06/10
 9modified: 2023/08/17
10tags:
11    - attack.persistence
12    - attack.t1112
13logsource:
14    product: windows
15    category: registry_set
16detection:
17    selection_main:
18        TargetObject|contains|all:
19            - 'Software\Microsoft\Office\'
20            - '\Outlook\Today\'
21    selection_value_stamp:
22        TargetObject|endswith: 'Stamp'
23        Details: 'DWORD (0x00000001)'
24    selection_value_user_defined:
25        TargetObject|endswith: 'UserDefinedUrl'
26    filter_office:
27        Image|startswith:
28            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
29            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
30        Image|endswith: '\OfficeClickToRun.exe'
31    condition: selection_main and 1 of selection_value_* and not 1 of filter_*
32fields:
33    - Details
34falsepositives:
35    - Unknown
36level: high

References

Related rules

to-top