False positive Windows Shell Remote Code Execution Vulnerability (OUTLOOK)
Since I enabled rule ID 6123, I am getting a daily alert that I am not sure how to proceed with it.
First impression was that on the first execution my outlook is creating some temp file as part of the normal initialization. I was tempted to whitelist outlook but I thought that this action would reduce the effectiveness of the rule as Outlook is a very common attack vector , especially during phishing attacks.
Secondly, I was a bit confused as I couldn't find much information about that behaviour in Microsoft sites. So I started doubting if that is a false positive or not. I went to the temp folder and nothing is there. I am tempted to start doing some forensics to find those deleted files and analyse them more in depth but first I wanted to ask around here just in case someone already saw that behaviour and can offer an explanation for it.
XXX\YYYY ran C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE, which accessed the file C:\Users\YYYY\AppData\Local\Temp\Deployment\QPNJBOXV.QY5\L1REJGME.Y8M.application, violating the rule "Windows Shell Remote Code Execution Vulnerability". Access was allowed because the rule wasn't configured to block.
Re: False positive Windows Shell Remote Code Execution Vulnerability (OUTLOOK)
I am running W10 1809 (build 17763) . that patch does not apply according to the Microsoft page.
it might be superseeded in the feature update 1809.
I monitored outlook.exe process using procmon (sysinternals) and indeed it creates some temporary files during the startup of the application. Unfortunately I could not obtain those files for a deeper analysis (as they get inmediately deleted ).
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.