Checks for Outlook EnableUnsafeClientMailRules = 1 (turned on). This registry key enables execution from Outlook inbox rules which can be used as a persistence mechanism. Microsoft has released a patch to disable execution but attackers can reenable by changing this value to 1.
HKEY_USERS*\Software\Microsoft\Office*\Outlook\Security\EnableUnsafeClientMailRules = 0 (expected) https://support.microsoft.com/en-us/help/3191893/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro
name: Windows.Registry.EnableUnsafeClientMailRules
description: |
Checks for Outlook EnableUnsafeClientMailRules = 1 (turned on).
This registry key enables execution from Outlook inbox rules which can be used as a persistence mechanism.
Microsoft has released a patch to disable execution but attackers can reenable by changing this value to 1.
HKEY_USERS\*\Software\Microsoft\Office\*\Outlook\Security\EnableUnsafeClientMailRules = 0 (expected)
https://support.microsoft.com/en-us/help/3191893/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro
author: "@mgreen27"
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: KeyGlob
default: Software\Microsoft\Office\*\Outlook\Security\
- name: userRegex
default: .
type: regex
sources:
- query: |
LET UserProfiles = Select Name as Username,
{
SELECT OSPath FROM glob(root=expand(path=Directory),
globs="/NTUSER.DAT", accessor="auto")
} as NTUser,
expand(path=Directory) as Directory
FROM Artifact.Windows.Sys.Users()
WHERE Directory and NTUser and Name =~ userRegex
SELECT * FROM foreach(
row={
SELECT Username, NTUser FROM UserProfiles
},
query={
SELECT Username,
NTUser as Userhive,
OSPath.Path as Key,
key.Mtime AS LastModified,
EnableUnsafeClientMailRules,
OutlookSecureTempFolder
FROM read_reg_key(
globs=KeyGlob,
root=pathspec(DelegatePath=OSPath),
accessor="raw_reg")
WHERE EnableUnsafeClientMailRules = 1
})