Windows.Registry.EnableUnsafeClientMailRules

Checks for Outlook EnableUnsafeClientMailRules = 1 (turned on). This registry key enables execution from Outlook inbox rules which can be used as a persistence mechanism. Microsoft has released a patch to disable execution but attackers can reenable by changing this value to 1.

HKEY_USERS*\Software\Microsoft\Office*\Outlook\Security\EnableUnsafeClientMailRules = 0 (expected) https://support.microsoft.com/en-us/help/3191893/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro


name: Windows.Registry.EnableUnsafeClientMailRules
description: |
  Checks for Outlook EnableUnsafeClientMailRules = 1 (turned on).
  This registry key enables execution from Outlook inbox rules which can be used as a persistence mechanism.
  Microsoft has released a patch to disable execution but attackers can reenable by changing this value to 1.

  HKEY_USERS\*\Software\Microsoft\Office\*\Outlook\Security\EnableUnsafeClientMailRules = 0 (expected)
  https://support.microsoft.com/en-us/help/3191893/how-to-control-the-rule-actions-to-start-an-application-or-run-a-macro

author: "@mgreen27"

precondition: SELECT OS From info() where OS = 'windows'

parameters:
   - name: KeyGlob
     default: Software\Microsoft\Office\*\Outlook\Security\
   - name: userRegex
     default: .
     type: regex

sources:
  - query: |
        LET UserProfiles = Select Name as Username,
            {
                SELECT OSPath FROM glob(root=expand(path=Directory),
                   globs="/NTUSER.DAT", accessor="auto")
            } as NTUser,
            expand(path=Directory) as Directory
        FROM Artifact.Windows.Sys.Users()
        WHERE Directory and NTUser and Name =~ userRegex

         SELECT * FROM foreach(
           row={
              SELECT Username, NTUser FROM UserProfiles
           },
           query={
              SELECT Username,
                NTUser as Userhive,
                OSPath.Path as Key,
                key.Mtime AS LastModified,
                EnableUnsafeClientMailRules,
                OutlookSecureTempFolder
              FROM read_reg_key(
                 globs=KeyGlob,
                 root=pathspec(DelegatePath=OSPath),
                 accessor="raw_reg")
              WHERE EnableUnsafeClientMailRules = 1
           })