detection.wiki

Detection rules › Sigma

Potential Persistence Via Outlook Today Page

Severity
high
Author
Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
Source
upstream

Detects potential persistence activity via outlook today page. An attacker can set a custom page to execute arbitrary code and link to it via the registry values "URL" and "UserDefinedUrl".

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1112 Modify Registry
Defense EvasionT1112 Modify Registry

Event coverage

ProviderEvent IDTitle
Sysmon13RegistryEvent (Value Set)

Stages and Predicates

Stage 1: selection_main

TargetObject|contains: 'Software\Microsoft\Office\'
TargetObject|contains: '\Outlook\Today\'

Stage 2: 1 of selection_value_stamp

Details: 'DWORD (0x00000001)'
TargetObject|endswith: '\Stamp'

Stage 3: 1 of selection_value_url

or:
TargetObject|endswith: '\URL'
TargetObject|endswith: '\UserDefinedUrl'

Stage 4: not 1 of filter_main_office

or:
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Detailseq
  • DWORD (0x00000001) corpus 37 (sigma 37)
Imageends_with
  • \OfficeClickToRun.exe corpus 10 (sigma 10)
Imagestarts_with
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ corpus 8 (sigma 8)
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\ corpus 5 (sigma 5)
TargetObjectends_with
  • \Stamp
  • \URL corpus 2 (sigma 2)
  • \UserDefinedUrl
TargetObjectmatch
  • Software\Microsoft\Office\ corpus 2 (sigma 2)
  • \Outlook\Today\