Detectionhightest

Potential Persistence Via Outlook Home Page

Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tobias Michalski, David Bertho & Eirik Sveen, StorebrandCreated Wed Jun 09Updated Wed Aug 07ddd171b5-2cc6-4975-9e78-f0eccd08cc76windows

Log Source

WindowsRegistry Set

ProductWindows← raw: windows

CategoryRegistry Set← raw: registry_set

Detection Logic

detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Microsoft\Office\'
            - '\Outlook\WebView\'
        TargetObject|endswith: '\URL'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

speakerdeck.com

Resolving title…

support.microsoft.com

Resolving title…

trustedsec.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion TA0003 · Persistence

Techniques

T1112 · Modify Registry

Related Rules

SimilarDetectionhigh

Potential Persistence Via Outlook Today Page

Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

ddd171b5-2cc6-4975-9e78-f0eccd08cc76

Status

test

Level

high

Type

Detection

Created

Wed Jun 09

Modified

Wed Aug 07

Author

Tobias Michalski, David Bertho & Eirik Sveen, Storebrand

Path

rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml

Raw Tags

attack.defense-evasionattack.persistenceattack.t1112

View on GitHub