Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Outlook Forms
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Outlook Forms
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Office Application Startup:  Outlook Forms

ID Name
.001 Office Template Macros
.002 Office Test
.003 Outlook Forms
.004 Outlook Home Page
.005 Outlook Rules
.006 Add-ins

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms) Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)

ID: T1137.003
Sub-technique of:  T1137
Tactic(s): Persistence
Platforms: Office 365, Windows
Permissions Required: Administrator, User
Data Sources: Application Log: Application Log Content, Command: Command Execution, Process: Process Creation
Version: 1.1
Created: 07 Nov 2019
Last Modified: 16 Aug 2021

Procedure Examples
Name Description
Ruler

Ruler can be used to automate the abuse of Outlook Forms to establish persistence.(Citation: SensePost Ruler GitHub)

Mitigations
Mitigation Description
Update Software

Perform regular software updates to mitigate exploitation risk.
Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Detection

Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output.(Citation: Microsoft Detect Outlook Forms) SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage.(Citation: SensePost NotRuler) Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.

References

  1. SensePost. (2017, September 21). NotRuler - The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange. Retrieved February 4, 2019.
  2. Fox, C., Vangel, D. (2018, April 22). Detect and Remediate Outlook Rules and Custom Forms Injections Attacks in Office 365. Retrieved February 4, 2019.
  3. Stalmans, E. (2017, April 28). Outlook Forms and Shells. Retrieved February 4, 2019.
  4. Stalmans, E. (2017, October 11). Outlook Home Page – Another Ruler Vector. Retrieved February 4, 2019.
  5. SensePost. (2016, August 18). Ruler: A tool to abuse Exchange services. Retrieved February 4, 2019.
  6. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.