LoFP / false positives are possible if the organization adds new forms to outlook via an automated method. filter by name or path to reduce false positives.

Techniques

• T1112
• T1566

Sample rules

Windows InProcServer32 New Outlook Form

• source: splunk
• technicques:
  • T1566
  • T1112

Description

The following analytic detects the creation or modification of registry keys associated with new Outlook form installations, potentially indicating exploitation of CVE-2024-21378. It leverages data from the Endpoint.Registry datamodel, focusing on registry paths involving InProcServer32 keys linked to Outlook forms. This activity is significant as it may signify an attempt to achieve authenticated remote code execution via malicious form objects. If confirmed malicious, this could allow an attacker to create arbitrary files and registry keys, leading to remote code execution and potential full system compromise.

Detection logic

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" Registry.registry_value_data=*\\FORMS\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user 
| `drop_dm_object_name(Registry)` 
|`security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_inprocserver32_new_outlook_form_filter`