SigmaHQ/rules/windows/process_creation/win_susp_outlook.yml
2020-10-15 19:33:33 -03:00

27 lines
808 B
YAML

title: Suspicious Execution from Outlook
id: e212d415-0e93-435f-9e1a-f29005bb4723
status: experimental
description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook
references:
- https://github.com/sensepost/ruler
- https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
tags:
- attack.execution
- attack.t1059
- attack.t1202
author: Markus Neis
date: 2018/12/27
logsource:
category: process_creation
product: windows
detection:
clientMailRules:
CommandLine|contains: 'EnableUnsafeClientMailRules'
outlookExec:
ParentImage|endswith: '\outlook.exe'
CommandLine: \\\\*\\*.exe
condition: clientMailRules or outlookExec
falsepositives:
- unknown
level: high