LoFP / false positives are possible if the organization adds new forms to outlook via an automated method. filter by name or path to reduce false positives.

Techniques

• T1112
• T1566

Sample rules

Windows InProcServer32 New Outlook Form

• source: splunk
• technicques:
  • T1566
  • T1112

Description

The following analytic identifies the creation or modification of registry keys associated with new Outlook form installations that could indicate exploitation of CVE-2024-21378. The vulnerability allows for authenticated remote code execution via synced form objects by abusing the InProcServer32 registry key. The attack involves syncing malicious form objects that carry special properties and attachments used to “install” the form on a client, potentially leading to arbitrary file and registry key creation under HKEY_CLASSES_ROOT (HKCR), and ultimately, remote code execution. This detection focuses on monitoring for registry modifications involving InProcServer32 keys or equivalent that are linked to Outlook form installations, which are indicative of an attempt to exploit this vulnerability.

Detection logic

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\InProcServer32\\*" Registry.registry_value_data=*\\FORMS\\* by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.registry_value_data Registry.dest Registry.process_guid Registry.user 
| `drop_dm_object_name(Registry)` 
|`security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_inprocserver32_new_outlook_form_filter`