Date: 08/08/2024
Severity: High
Summary
Detects potential persistent activity through the Outlook Today page. An attacker may configure a custom page to execute arbitrary code and reference it using the registry values "URL" and "UserDefinedUrl."
Indicators of Compromise (IOC) List
TargetObject | Software\Microsoft\Office\ \Outlook\Today\ \Stamp \URL \UserDefinedUrl |
Details | 'DWORD (0x00000001)' |
Image | 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourceName = "Sysmon" AND eventtype = "13" ) AND targetobject in ("Software\\Microsoft\\Office" , "\\Outlook\\Today" , "\\Stamp" , "\\URL" , "\\UserDefinedUrl") AND details like "DWORD (0x00000001)" AND imagepath not in ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun" , "'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates") |
Detection Query 2 | (technologygroup = "EDR" ) AND targetobject in ("Software\\Microsoft\\Office" , "\\Outlook\\Today" , "\\Stamp" , "\\URL" , "\\UserDefinedUrl") AND details like "DWORD (0x00000001)" AND imagepath not in ("C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun" , "'C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\Updates") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_todaypage.yml
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=74
https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change