Suspicious COM CLSID Registry Value Set By Outlook.EXE

Rule Info

Name
Suspicious COM CLSID Registry Value Set By Outlook.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the creation of a COM CLSID pointing to a DLL file residing in the Outlook Forms directory. This is could potentially indicate the installation of a malicious Outlook Form. Investigate further action executed during this time frame and look for a DLL being dropped to disk and then that same DLL being loaded by the Outlook process.
Reference
https://www.netspi.com/blog/technical/red-team-operations/microsoft-outlook-remote-code-execution-cve-2024-21378/
Date
2024-03-12 00:00:00
Modified
None
Id
7f812f92-eccd-4a2c-8f93-aefc8add99b0
Tags
attack.persistence
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022