Techniques
Sample rules
Windows Unsecured Outlook Credentials Access In Registry
- source: splunk
- technicques:
- T1552
Description
The following analytic detects unauthorized access to Outlook credentials stored in the Windows registry. It leverages Windows Security Event logs, specifically EventCode 4663, to identify access attempts to registry paths associated with Outlook profiles. This activity is significant as it may indicate attempts to steal sensitive email credentials, which could lead to unauthorized access to email accounts. If confirmed malicious, this could allow attackers to exfiltrate sensitive information, impersonate users, or execute further unauthorized actions within Outlook, posing a significant security risk.
Detection logic
`wineventlog_security` EventCode=4663 object_file_path IN ("*\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676*", "*\\Windows Messaging Subsystem\\Profiles\\9375CFF0413111d3B88A00104B2A6676*") AND process_name != *\\outlook.exe
| stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_unsecured_outlook_credentials_access_in_registry_filter`