Suspicious Execution via Microsoft Office Add-Ins

calendar Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/03/20"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
  6min_stack_version = "8.3.0"
  7updated_date = "2024/03/28"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or 
 13with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing 
 14MS Office Add-In.
 15"""
 16from = "now-9m"
 17index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Suspicious Execution via Microsoft Office Add-Ins"
 21references = [
 22"https://github.com/Octoberfest7/XLL_Phishing",
 23"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"
 24]
 25risk_score = 47
 26rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa"
 27severity = "medium"
 28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
 29timestamp_override = "event.ingested"
 30type = "eql"
 31
 32query = '''
 33process where 
 34    
 35    host.os.type == "windows" and event.type == "start" and  
 36    
 37    process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and 
 38    
 39    process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and 
 40    
 41    /* Office Add-In from suspicious paths */
 42    (process.args :
 43             ("?:\\Users\\*\\Temp\\7z*",
 44              "?:\\Users\\*\\Temp\\Rar$*",
 45              "?:\\Users\\*\\Temp\\Temp?_*",
 46              "?:\\Users\\*\\Temp\\BNZ.*",
 47              "?:\\Users\\*\\Downloads\\*",
 48              "?:\\Users\\*\\AppData\\Roaming\\*",
 49              "?:\\Users\\Public\\*",
 50              "?:\\ProgramData\\*",
 51              "?:\\Windows\\Temp\\*",
 52              "\\Device\\*",
 53              "http*") or
 54	      
 55    process.parent.name : ("explorer.exe", "OpenWith.exe") or 
 56    
 57    /* Office Add-In from suspicious parent */
 58    process.parent.name : ("cmd.exe", "powershell.exe")) and
 59	  
 60    /* False Positives */
 61    not (process.args : "*.vsto" and
 62         process.parent.executable :
 63                   ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
 64                    "?:\\ProgramData\\Logishrd\\LogiOptions\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
 65                    "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
 66                    "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
 67                    "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
 68                    "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
 69    not (process.args : "/Uninstall" and process.name : "VSTOInstaller.exe") and
 70    not (process.parent.name : "rundll32.exe" and
 71         process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
 72    not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto")
 73'''
 74
 75
 76[[rule.threat]]
 77framework = "MITRE ATT&CK"
 78[[rule.threat.technique]]
 79id = "T1566"
 80name = "Phishing"
 81reference = "https://attack.mitre.org/techniques/T1566/"
 82[[rule.threat.technique.subtechnique]]
 83id = "T1566.001"
 84name = "Spearphishing Attachment"
 85reference = "https://attack.mitre.org/techniques/T1566/001/"
 86
 87
 88
 89[rule.threat.tactic]
 90id = "TA0001"
 91name = "Initial Access"
 92reference = "https://attack.mitre.org/tactics/TA0001/"
 93
 94
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1137"
100name = "Office Application Startup"
101reference = "https://attack.mitre.org/techniques/T1137/"
102[[rule.threat.technique.subtechnique]]
103id = "T1137.006"
104name = "Add-ins"
105reference = "https://attack.mitre.org/techniques/T1137/006/"
106	
107[rule.threat.tactic]
108id = "TA0003"
109name = "Persistence"
110reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top