Suspicious Execution via Microsoft Office Add-Ins
Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/03/20"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or
13with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing
14MS Office Add-In.
15"""
16from = "now-9m"
17index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious Execution via Microsoft Office Add-Ins"
21references = [
22"https://github.com/Octoberfest7/XLL_Phishing",
23"https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/"
24]
25risk_score = 47
26rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where
34
35 host.os.type == "windows" and event.type == "start" and
36
37 process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and
38
39 process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and
40
41 /* Office Add-In from suspicious paths */
42 (process.args :
43 ("?:\\Users\\*\\Temp\\7z*",
44 "?:\\Users\\*\\Temp\\Rar$*",
45 "?:\\Users\\*\\Temp\\Temp?_*",
46 "?:\\Users\\*\\Temp\\BNZ.*",
47 "?:\\Users\\*\\Downloads\\*",
48 "?:\\Users\\*\\AppData\\Roaming\\*",
49 "?:\\Users\\Public\\*",
50 "?:\\ProgramData\\*",
51 "?:\\Windows\\Temp\\*",
52 "\\Device\\*",
53 "http*") or
54
55 process.parent.name : ("explorer.exe", "OpenWith.exe") or
56
57 /* Office Add-In from suspicious parent */
58 process.parent.name : ("cmd.exe", "powershell.exe")) and
59
60 /* False Positives */
61 not (process.args : "*.vsto" and
62 process.parent.executable :
63 ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
64 "?:\\ProgramData\\Logishrd\\LogiOptions\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
65 "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
66 "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
67 "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
68 "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
69 not (process.args : "/Uninstall" and process.name : "VSTOInstaller.exe") and
70 not (process.parent.name : "rundll32.exe" and
71 process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
72 not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto")
73'''
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1566"
80name = "Phishing"
81reference = "https://attack.mitre.org/techniques/T1566/"
82[[rule.threat.technique.subtechnique]]
83id = "T1566.001"
84name = "Spearphishing Attachment"
85reference = "https://attack.mitre.org/techniques/T1566/001/"
86
87
88
89[rule.threat.tactic]
90id = "TA0001"
91name = "Initial Access"
92reference = "https://attack.mitre.org/tactics/TA0001/"
93
94
95
96[[rule.threat]]
97framework = "MITRE ATT&CK"
98[[rule.threat.technique]]
99id = "T1137"
100name = "Office Application Startup"
101reference = "https://attack.mitre.org/techniques/T1137/"
102[[rule.threat.technique.subtechnique]]
103id = "T1137.006"
104name = "Add-ins"
105reference = "https://attack.mitre.org/techniques/T1137/006/"
106
107[rule.threat.tactic]
108id = "TA0003"
109name = "Persistence"
110reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Adobe Hijack Persistence
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service
- Execution of Persistent Suspicious Program
- First Time Seen Removable Device