Potential Persistence Via Outlook Today Pages
Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".
Sigma rule (View on GitHub)
1title: Potential Persistence Via Outlook Today Pages
2id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
3status: experimental
4description: Detects potential persistence activity via outlook today pages. An attacker can set a custom page to execute arbitrary code and link to it via the registry key "UserDefinedUrl".
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
7author: Tobias Michalski (Nextron Systems)
8date: 2021/06/10
9modified: 2023/08/17
10tags:
11 - attack.persistence
12 - attack.t1112
13logsource:
14 product: windows
15 category: registry_set
16detection:
17 selection_main:
18 TargetObject|contains|all:
19 - 'Software\Microsoft\Office\'
20 - '\Outlook\Today\'
21 selection_value_stamp:
22 TargetObject|endswith: 'Stamp'
23 Details: 'DWORD (0x00000001)'
24 selection_value_user_defined:
25 TargetObject|endswith: 'UserDefinedUrl'
26 filter_office:
27 Image|startswith:
28 - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
29 - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
30 Image|endswith: '\OfficeClickToRun.exe'
31 condition: selection_main and 1 of selection_value_* and not 1 of filter_*
32fields:
33 - Details
34falsepositives:
35 - Unknown
36level: high
References
Related rules
- Potential Persistence Via Outlook Home Page
- Winlogon AllowMultipleTSSessions Enable
- OilRig APT Activity
- OilRig APT Schedule Task Persistence - Security
- Potential Persistence Via Event Viewer Events.asp