Suspicious Execution via Microsoft Office Add-Ins

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/03/20"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with
 11an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious Execution via Microsoft Office Add-Ins"
 18references = [
 19    "https://github.com/Octoberfest7/XLL_Phishing",
 20    "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/",
 21]
 22risk_score = 47
 23rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa"
 24severity = "medium"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: Windows",
 28    "Use Case: Threat Detection",
 29    "Tactic: Initial Access",
 30    "Tactic: Persistence",
 31    "Data Source: Elastic Endgame",
 32    "Data Source: Elastic Defend",
 33    "Data Source: Sysmon",
 34]
 35timestamp_override = "event.ingested"
 36type = "eql"
 37
 38query = '''
 39process where 
 40    
 41    host.os.type == "windows" and event.type == "start" and  
 42    
 43    process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and 
 44    
 45    process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and 
 46    
 47    /* Office Add-In from suspicious paths */
 48    (process.args :
 49             ("?:\\Users\\*\\Temp\\7z*",
 50              "?:\\Users\\*\\Temp\\Rar$*",
 51              "?:\\Users\\*\\Temp\\Temp?_*",
 52              "?:\\Users\\*\\Temp\\BNZ.*",
 53              "?:\\Users\\*\\Downloads\\*",
 54              "?:\\Users\\*\\AppData\\Roaming\\*",
 55              "?:\\Users\\Public\\*",
 56              "?:\\ProgramData\\*",
 57              "?:\\Windows\\Temp\\*",
 58              "\\Device\\*",
 59              "http*") or
 60	      
 61    process.parent.name : ("explorer.exe", "OpenWith.exe") or 
 62    
 63    /* Office Add-In from suspicious parent */
 64    process.parent.name : ("cmd.exe", "powershell.exe")) and
 65	  
 66    /* False Positives */
 67    not (process.args : "*.vsto" and
 68         process.parent.executable :
 69                   ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
 70                    "?:\\ProgramData\\Logishrd\\LogiOptions\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
 71                    "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
 72                    "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
 73                    "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
 74                    "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
 75    not (process.args : "/Uninstall" and process.name : "VSTOInstaller.exe") and
 76    not (process.parent.name : "rundll32.exe" and
 77         process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
 78    not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto")
 79'''
 80
 81
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1566"
 86name = "Phishing"
 87reference = "https://attack.mitre.org/techniques/T1566/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1566.001"
 90name = "Spearphishing Attachment"
 91reference = "https://attack.mitre.org/techniques/T1566/001/"
 92
 93
 94
 95[rule.threat.tactic]
 96id = "TA0001"
 97name = "Initial Access"
 98reference = "https://attack.mitre.org/tactics/TA0001/"
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1137"
103name = "Office Application Startup"
104reference = "https://attack.mitre.org/techniques/T1137/"
105[[rule.threat.technique.subtechnique]]
106id = "T1137.006"
107name = "Add-ins"
108reference = "https://attack.mitre.org/techniques/T1137/006/"
109
110
111
112[rule.threat.tactic]
113id = "TA0003"
114name = "Persistence"
115reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top