EXPLORE
Sign In
← Back to Explore
sigmalowHunting

Access To Windows Outlook Mail Files By Uncommon Applications

Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage

MITRE ATT&CK

T1070.008

Detection Query

selection_unistore:
  FileName|contains: \AppData\Local\Comms\Unistore\data
selection_unistoredb:
  FileName|endswith: \AppData\Local\Comms\UnistoreDB\store.vol
filter_main_system:
  Image: System
filter_main_generic:
  Image|startswith:
    - C:\Program Files (x86)\
    - C:\Program Files\
    - C:\Windows\system32\
    - C:\Windows\SysWOW64\
filter_optional_defender:
  Image|startswith: C:\ProgramData\Microsoft\Windows Defender\
  Image|endswith:
    - \MpCopyAccelerator.exe
    - \MsMpEng.exe
filter_optional_thor:
  Image|endswith:
    - \thor64.exe
    - \thor.exe
condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*

Author

frack113

Created

2024-05-10

Data Sources

windowsfile_access

Platforms

windows

References

Tags

attack.stealthattack.t1070.008detection.threat-hunting
Raw Content
title: Access To Windows Outlook Mail Files By Uncommon Applications
id: fc3e237f-2fef-406c-b90d-b3ae7e02fa8f
status: test
description: |
    Detects file access requests to Windows Outlook Mail by uncommon processes.
    Could indicate potential attempt of credential stealing.
    Requires heavy baselining before usage
references:
    - https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2
    - https://github.com/redcanaryco/atomic-red-team/blob/58496ee3306e6e42a7054d36a94e6eb561ee3081/atomics/T1070.008/T1070.008.md#atomic-test-4---copy-and-modify-mailbox-data-on-windows
author: frack113
date: 2024-05-10
modified: 2024-07-29
tags:
    - attack.stealth
    - attack.t1070.008
    - detection.threat-hunting
logsource:
    category: file_access
    product: windows
    definition: 'Requirements: Microsoft-Windows-Kernel-File ETW provider'
detection:
    selection_unistore:
        FileName|contains: '\AppData\Local\Comms\Unistore\data'
    selection_unistoredb:
        FileName|endswith: '\AppData\Local\Comms\UnistoreDB\store.vol'
    filter_main_system:
        Image: 'System'
    filter_main_generic:
        # This filter is added to avoid large amount of FP with 3rd party software. You should remove this in favour of specific filter per-application
        Image|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\system32\'
            - 'C:\Windows\SysWOW64\'
    filter_optional_defender:
        Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'
        Image|endswith:
            - '\MpCopyAccelerator.exe'
            - '\MsMpEng.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor64.exe'
            - '\thor.exe'
    condition: 1 of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Antivirus, Anti-Spyware, Anti-Malware Software
    - Backup software
    - Legitimate software installed on partitions other than "C:\"
    - Searching software such as "everything.exe"
# Note: Increase after initial baseline
level: low