detection.wiki

Detection rules › Sigma

Potential Persistence Via Outlook Home Page

Severity
high
Author
Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
Source
upstream

Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection

TargetObject|endswith: '\URL'
TargetObject|contains: '\Outlook\WebView\'
TargetObject|contains: '\Software\Microsoft\Office\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetObjectends_with
  • \URL corpus 2 (sigma 2)
TargetObjectmatch
  • \Outlook\WebView\
  • \Software\Microsoft\Office\