sigmahighHunting

Potential Persistence Via Outlook Home Page

Detects potential persistence activity via outlook home page. An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.

MITRE ATT&CK

T1112

defense-evasionpersistence

Detection Query

selection:
  TargetObject|contains|all:
    - \Software\Microsoft\Office\
    - \Outlook\WebView\
  TargetObject|endswith: \URL
condition: selection

Author

Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand

Created

2021-06-09

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.defense-evasionattack.persistenceattack.t1112

Raw Content

title: Potential Persistence Via Outlook Home Page
id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76
related:
    - id: 487bb375-12ef-41f6-baae-c6a1572b4dd1
      type: similar
status: test
description: |
    Detects potential persistence activity via outlook home page.
    An attacker can set a home page to achieve code execution and persistence by editing the WebView registry keys.
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70
    - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us
    - https://trustedsec.com/blog/specula-turning-outlook-into-a-c2-with-one-registry-change
author: Tobias Michalski (Nextron Systems), David Bertho (@dbertho) & Eirik Sveen (@0xSV1), Storebrand
date: 2021-06-09
modified: 2024-08-07
tags:
    - attack.defense-evasion
    - attack.persistence
    - attack.t1112
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains|all:
            - '\Software\Microsoft\Office\'
            - '\Outlook\WebView\'
        TargetObject|endswith: '\URL'
    condition: selection
falsepositives:
    - Unknown
level: high