Potential Remote Code Execution Via Outlook Form

Rule Info

Name
Potential Remote Code Execution Via Outlook Form
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the creation of a new file with a ".DLL" extension in the Outlook Forms folder. This might be an indicator of an attacker using Outlook form persistence or remote code execution as seen in CVE-2024-21378 exploitation.
Reference
https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76
Date
2024-03-12 00:00:00
Modified
None
Id
9e0bfbbe-d3d1-4b05-bc12-c5038d040108
Tags
attack.persistence attack.t1137.003
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022