Suspicious Execution via Microsoft Office Add-Ins

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne  ·
Share on: linkedin copy

Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/03/20"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with
 13an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious Execution via Microsoft Office Add-Ins"
 20references = [
 21    "https://github.com/Octoberfest7/XLL_Phishing",
 22    "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/",
 23]
 24risk_score = 47
 25rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa"
 26severity = "medium"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Initial Access",
 32    "Tactic: Persistence",
 33    "Data Source: Elastic Endgame",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36    "Data Source: Microsoft Defender for Endpoint",
 37    "Data Source: SentinelOne",
 38]
 39timestamp_override = "event.ingested"
 40type = "eql"
 41
 42query = '''
 43process where 
 44    
 45    host.os.type == "windows" and event.type == "start" and  
 46    
 47    process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and 
 48    
 49    process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and 
 50    
 51    /* Office Add-In from suspicious paths */
 52    (process.args :
 53             ("?:\\Users\\*\\Temp\\7z*",
 54              "?:\\Users\\*\\Temp\\Rar$*",
 55              "?:\\Users\\*\\Temp\\Temp?_*",
 56              "?:\\Users\\*\\Temp\\BNZ.*",
 57              "?:\\Users\\*\\Downloads\\*",
 58              "?:\\Users\\*\\AppData\\Roaming\\*",
 59              "?:\\Users\\Public\\*",
 60              "?:\\ProgramData\\*",
 61              "?:\\Windows\\Temp\\*",
 62              "\\Device\\*",
 63              "http*") or
 64	      
 65    process.parent.name : ("explorer.exe", "OpenWith.exe") or 
 66    
 67    /* Office Add-In from suspicious parent */
 68    process.parent.name : ("cmd.exe", "powershell.exe")) and
 69	  
 70    /* False Positives */
 71    not (process.args : "*.vsto" and
 72         process.parent.executable :
 73                   ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
 74                    "?:\\ProgramData\\Logishrd\\LogiOptions\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
 75                    "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
 76                    "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
 77                    "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
 78                    "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
 79    not (process.args : "/Uninstall" and process.name : "VSTOInstaller.exe") and
 80    not (process.parent.name : "rundll32.exe" and
 81         process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
 82    not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto")
 83'''
 84
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1566"
 90name = "Phishing"
 91reference = "https://attack.mitre.org/techniques/T1566/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1566.001"
 94name = "Spearphishing Attachment"
 95reference = "https://attack.mitre.org/techniques/T1566/001/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0001"
101name = "Initial Access"
102reference = "https://attack.mitre.org/tactics/TA0001/"
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1137"
107name = "Office Application Startup"
108reference = "https://attack.mitre.org/techniques/T1137/"
109[[rule.threat.technique.subtechnique]]
110id = "T1137.006"
111name = "Add-ins"
112reference = "https://attack.mitre.org/techniques/T1137/006/"
113
114
115
116[rule.threat.tactic]
117id = "TA0003"
118name = "Persistence"
119reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top