Threat Huntlowtest
Access To Windows Outlook Mail Files By Uncommon Applications
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
Windowsfile_access
ProductWindows← raw: windows
Categoryfile_access← raw: file_access
Definition
Requirements: Microsoft-Windows-Kernel-File ETW provider
Detection Logic
Detection Logic6 selectors
detection:
selection_unistore:
FileName|contains: '\AppData\Local\Comms\Unistore\data'
selection_unistoredb:
FileName|endswith: '\AppData\Local\Comms\UnistoreDB\store.vol'
filter_main_system:
Image: 'System'
filter_main_generic:
# This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
- 'C:\Windows\system32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
filter_optional_thor:
Image|endswith:
- '\thor64.exe'
- '\thor.exe'
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Antivirus, Anti-Spyware, Anti-Malware Software
Backup software
Legitimate software installed on partitions other than "C:\"
Searching software such as "everything.exe"
MITRE ATT&CK
Tactics
Sub-techniques
Other
detection.threat-hunting
Rule Metadata
Rule ID
fc3e237f-2fef-406c-b90d-b3ae7e02fa8f
Status
test
Level
low
Type
Threat Hunt
Created
Fri May 10
Modified
Mon Jul 29
Author
Path
rules-threat-hunting/windows/file/file_access/file_access_win_office_outlook_mail_credential.yml
Raw Tags
attack.t1070.008attack.defense-evasiondetection.threat-hunting