Access To Windows Outlook Mail Files By Uncommon Application

Rule Info

Name
Access To Windows Outlook Mail Files By Uncommon Application
Author
frack113
Description
Detects file access requests to Windows Outlook Mail by uncommon processes. Could indicate potential attempt of credential stealing. Requires heavy baselining before usage
Reference
https://darkdefender.medium.com/windows-10-mail-app-forensics-39025f5418d2
Date
2024-05-10 00:00:00
Modified
None
Id
fc3e237f-2fef-406c-b90d-b3ae7e02fa8f
Tags
attack.t1070.008 attack.defense_evasion DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=fc3e237f-2fef-406c-b90d-b3ae7e02fa8f

Rule History

Author
Title
Date
Commit
fornotes
Merge PR #4920 from @fornotes - Update `file_access` based rules
2024-07-22
b53c9bd2f
frack113
Merge PR #4838 from @frack113 - Add `Access To Windows Outlook Mail Files By Uncommon Application`
2024-05-10
fe26ffa0f
Nasreddine Bencherchali
Merge PR #4577 from @nasbench - Multiple Fixes & Updates
2023-12-21
e05267714
Wagga
Merge PR #4524 from @wagga40 - Fix Typos In Metadata Fields
2023-10-28
8bf328219
frack113
Merge PR #4398 from @nasbench & @frack113 - Update File Access Rules
2023-09-15
a1b75c6e1
Nasreddine Bencherchali
feat: new rules, updates and fp fixes (#4136)
2023-04-03
3d9372bef
Nasreddine Bencherchali
feat: updates and fixes
2023-02-17
68c052aab
frack113
Add logsource definition
2022-10-25
5bd0b33a3
frack113
Move file category rules
2022-10-13
3cc42cfe6
Nasreddine Bencherchali
Fix FP In Testing
2022-10-07
8dbd03ff3
frack113
System FP
2022-07-27
90b505a27
phantinuss
fix: FPs found in testing
2022-07-05
ce1710a03
Florian Roth
refactor: remove now unnecessary filters
2022-06-30
d09544c35
Paul Hager
fix: FP fix
2022-06-30
904499842
Florian Roth
fix: FPs
2022-06-29
fd7b8d1c4
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022