Suspicious Execution via Microsoft Office Add-Ins

  1[metadata]
  2creation_date = "2023/03/20"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with
 13an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
 14"""
 15from = "now-9m"
 16index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 17language = "eql"
 18license = "Elastic License v2"
 19name = "Suspicious Execution via Microsoft Office Add-Ins"
 20references = [
 21    "https://github.com/Octoberfest7/XLL_Phishing",
 22    "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/",
 23]
 24risk_score = 47
 25rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa"
 26severity = "medium"
 27tags = [
 28    "Domain: Endpoint",
 29    "OS: Windows",
 30    "Use Case: Threat Detection",
 31    "Tactic: Initial Access",
 32    "Tactic: Persistence",
 33    "Data Source: Elastic Endgame",
 34    "Data Source: Elastic Defend",
 35    "Data Source: Sysmon",
 36    "Data Source: Microsoft Defender for Endpoint",
 37    "Data Source: SentinelOne",
 38    "Resources: Investigation Guide",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44process where
 45
 46    host.os.type == "windows" and event.type == "start" and
 47
 48    process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and
 49
 50    process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and
 51
 52    /* Office Add-In from suspicious paths */
 53    (process.args :
 54             ("?:\\Users\\*\\Temp\\7z*",
 55              "?:\\Users\\*\\Temp\\Rar$*",
 56              "?:\\Users\\*\\Temp\\Temp?_*",
 57              "?:\\Users\\*\\Temp\\BNZ.*",
 58              "?:\\Users\\*\\Downloads\\*",
 59              "?:\\Users\\*\\AppData\\Roaming\\*",
 60              "?:\\Users\\Public\\*",
 61              "?:\\ProgramData\\*",
 62              "?:\\Windows\\Temp\\*",
 63              "\\Device\\*",
 64              "http*") or
 65
 66    process.parent.name : ("explorer.exe", "OpenWith.exe") or
 67
 68    /* Office Add-In from suspicious parent */
 69    process.parent.name : ("cmd.exe", "powershell.exe")) and
 70
 71    /* False Positives */
 72    not (process.args : "*.vsto" and
 73         process.parent.executable :
 74                   ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
 75                    "?:\\ProgramData\\Logishrd\\LogiOptions\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
 76                    "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
 77                    "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
 78                    "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
 79                    "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
 80    not (process.args : "/Uninstall" and process.name : "VSTOInstaller.exe") and
 81    not (process.parent.name : "rundll32.exe" and
 82         process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
 83    not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto")
 84'''
 85note = """## Triage and analysis
 86
 87> **Disclaimer**:
 88> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 89
 90### Investigating Suspicious Execution via Microsoft Office Add-Ins
 91
 92Microsoft Office Add-Ins enhance productivity by integrating additional features into Office applications. However, adversaries can exploit this by embedding malicious code within add-ins, often delivered through phishing. The detection rule identifies unusual execution patterns, such as Office apps launching add-ins from suspicious paths or with atypical parent processes, signaling potential threats. It filters out known benign activities to minimize false positives, focusing on genuine anomalies indicative of malicious intent.
 93
 94### Possible investigation steps
 95
 96- Review the process name and arguments to confirm if the execution involves a Microsoft Office application launching an add-in from a suspicious path, as indicated by the process.name and process.args fields.
 97- Check the parent process name to determine if the Office application was launched by an unusual or potentially malicious parent process, such as cmd.exe or powershell.exe, using the process.parent.name field.
 98- Investigate the file path from which the add-in was executed to assess if it matches any of the suspicious paths listed in the query, such as the Temp or Downloads directories, using the process.args field.
 99- Examine the host's recent activity logs to identify any related events or patterns that might indicate a broader attack or compromise, focusing on the host.os.type and event.type fields.
100- Correlate the alert with any recent phishing attempts or suspicious emails received by the user to determine if the execution is part of a phishing campaign, leveraging the MITRE ATT&CK tactic and technique information provided.
101- Verify if the execution is a false positive by checking against the known benign activities excluded in the query, such as specific VSTOInstaller.exe paths or arguments, to rule out legitimate software installations or updates.
102
103### False positive analysis
104
105- Logitech software installations can trigger false positives when VSTO files are executed by Logitech's PlugInInstallerUtility. To mitigate this, exclude processes with paths related to Logitech installations from the detection rule.
106- The VSTOInstaller.exe process may be flagged when uninstalling applications. Exclude processes with the /Uninstall argument to prevent these false positives.
107- Rundll32.exe executing with specific arguments related to MSI temporary files can be benign. Exclude these specific rundll32.exe executions to avoid false alerts.
108- Sidekick.vsto installations from the specified URL can be legitimate. Exclude this specific VSTOInstaller.exe process with the Sidekick.vsto argument to reduce false positives.
109
110### Response and remediation
111
112- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any ongoing malicious activity.
113- Terminate any suspicious processes identified by the detection rule, such as those involving unusual parent processes or originating from suspicious paths.
114- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious add-ins or related malware.
115- Review and clean up any unauthorized or suspicious Office add-ins from the affected applications to ensure no malicious code remains.
116- Restore the system from a known good backup if the integrity of the system is compromised and cannot be assured through cleaning alone.
117- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
118- Implement additional monitoring and alerting for similar suspicious activities to enhance detection and response capabilities for future incidents."""
119
120
121[[rule.threat]]
122framework = "MITRE ATT&CK"
123[[rule.threat.technique]]
124id = "T1566"
125name = "Phishing"
126reference = "https://attack.mitre.org/techniques/T1566/"
127[[rule.threat.technique.subtechnique]]
128id = "T1566.001"
129name = "Spearphishing Attachment"
130reference = "https://attack.mitre.org/techniques/T1566/001/"
131
132
133
134[rule.threat.tactic]
135id = "TA0001"
136name = "Initial Access"
137reference = "https://attack.mitre.org/tactics/TA0001/"
138[[rule.threat]]
139framework = "MITRE ATT&CK"
140[[rule.threat.technique]]
141id = "T1137"
142name = "Office Application Startup"
143reference = "https://attack.mitre.org/techniques/T1137/"
144[[rule.threat.technique.subtechnique]]
145id = "T1137.006"
146name = "Add-ins"
147reference = "https://attack.mitre.org/techniques/T1137/006/"
148
149
150
151[rule.threat.tactic]
152id = "TA0003"
153name = "Persistence"
154reference = "https://attack.mitre.org/tactics/TA0003/"