mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
32 lines
949 B
YAML
32 lines
949 B
YAML
title: Persistent Outlook Landing Pages
|
|
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
|
|
description: Detects the manipulation of persistant URLs which can be malicious
|
|
status: experimental
|
|
references:
|
|
- https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
|
|
- https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
|
|
author: Tobias Michalski
|
|
date: 2021/06/09
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1112
|
|
logsource:
|
|
product: windows
|
|
category: registry_event
|
|
detection:
|
|
selection1:
|
|
TargetObject|contains:
|
|
- 'Software\Microsoft\Office\'
|
|
- 'Outlook\WebView\'
|
|
TargetObject|endswith: 'URL'
|
|
selection2:
|
|
TargetObject|contains:
|
|
- 'Calendar'
|
|
- 'Inbox'
|
|
condition: selection1 and 1 of selection2
|
|
fields:
|
|
- Details
|
|
falsepositives:
|
|
- unknown
|
|
level: high
|