Suspicious Inter-Process Communication via Outlook
editSuspicious Inter-Process Communication via Outlook
editDetects Inter-Process Communication with Outlook via Component Object Model from an unusual process. Adversaries may target user email to collect sensitive information or send email on their behalf via API.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Collection
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where event.action == "start" and process.name : "OUTLOOK.EXE" and
process.Ext.effective_parent.name != null and
not process.Ext.effective_parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Collection
- ID: TA0009
- Reference URL: https://attack.mitre.org/tactics/TA0009/
-
Technique:
- Name: Email Collection
- ID: T1114
- Reference URL: https://attack.mitre.org/techniques/T1114/
-
Sub-technique:
- Name: Local Email Collection
- ID: T1114.001
- Reference URL: https://attack.mitre.org/techniques/T1114/001/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Inter-Process Communication
- ID: T1559
- Reference URL: https://attack.mitre.org/techniques/T1559/
-
Sub-technique:
- Name: Component Object Model
- ID: T1559.001
- Reference URL: https://attack.mitre.org/techniques/T1559/001/