Techniques
Sample rules
Windows Outlook WebView Registry Modification
- source: splunk
- technicques:
- T1112
Description
The following analytic identifies modifications to specific Outlook registry values related to WebView and Today features. It detects when a URL is set in these registry locations, which could indicate attempts to manipulate Outlook’s web-based components. The analytic focuses on changes to the “URL” value within Outlook’s WebView and Today registry paths. This activity is significant as it may represent an attacker’s effort to redirect Outlook’s web content or inject malicious URLs. If successful, this technique could lead to phishing attempts, data theft, or serve as a stepping stone for further compromise of the user’s email client and potentially sensitive information.
Detection logic
| tstats `security_content_summariesonly` count values(Registry.registry_value_name) as registry_value_name values(Registry.registry_value_data) as registry_value_data min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\WebView\\*" OR Registry.registry_path="*\\Software\\Microsoft\\Office\\*\\Outlook\\Today") AND Registry.registry_value_name="URL" by Registry.dest, Registry.user, Registry.registry_path
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `drop_dm_object_name(Registry)`
| `windows_outlook_webview_registry_modification_filter`