Suspicious Execution via Microsoft Office Add-Ins
Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/03/20"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with
11an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious Execution via Microsoft Office Add-Ins"
18references = [
19 "https://github.com/Octoberfest7/XLL_Phishing",
20 "https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/",
21]
22risk_score = 47
23rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Initial Access",
30 "Tactic: Persistence",
31 "Data Source: Elastic Endgame",
32 "Data Source: Elastic Defend",
33 "Data Source: Sysmon",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where
40
41 host.os.type == "windows" and event.type == "start" and
42
43 process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and
44
45 process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and
46
47 /* Office Add-In from suspicious paths */
48 (process.args :
49 ("?:\\Users\\*\\Temp\\7z*",
50 "?:\\Users\\*\\Temp\\Rar$*",
51 "?:\\Users\\*\\Temp\\Temp?_*",
52 "?:\\Users\\*\\Temp\\BNZ.*",
53 "?:\\Users\\*\\Downloads\\*",
54 "?:\\Users\\*\\AppData\\Roaming\\*",
55 "?:\\Users\\Public\\*",
56 "?:\\ProgramData\\*",
57 "?:\\Windows\\Temp\\*",
58 "\\Device\\*",
59 "http*") or
60
61 process.parent.name : ("explorer.exe", "OpenWith.exe") or
62
63 /* Office Add-In from suspicious parent */
64 process.parent.name : ("cmd.exe", "powershell.exe")) and
65
66 /* False Positives */
67 not (process.args : "*.vsto" and
68 process.parent.executable :
69 ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
70 "?:\\ProgramData\\Logishrd\\LogiOptions\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
71 "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
72 "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
73 "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
74 "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
75 not (process.args : "/Uninstall" and process.name : "VSTOInstaller.exe") and
76 not (process.parent.name : "rundll32.exe" and
77 process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
78 not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto")
79'''
80
81
82[[rule.threat]]
83framework = "MITRE ATT&CK"
84[[rule.threat.technique]]
85id = "T1566"
86name = "Phishing"
87reference = "https://attack.mitre.org/techniques/T1566/"
88[[rule.threat.technique.subtechnique]]
89id = "T1566.001"
90name = "Spearphishing Attachment"
91reference = "https://attack.mitre.org/techniques/T1566/001/"
92
93
94
95[rule.threat.tactic]
96id = "TA0001"
97name = "Initial Access"
98reference = "https://attack.mitre.org/tactics/TA0001/"
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1137"
103name = "Office Application Startup"
104reference = "https://attack.mitre.org/techniques/T1137/"
105[[rule.threat.technique.subtechnique]]
106id = "T1137.006"
107name = "Add-ins"
108reference = "https://attack.mitre.org/techniques/T1137/006/"
109
110
111
112[rule.threat.tactic]
113id = "TA0003"
114name = "Persistence"
115reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Creation of a Hidden Local User Account
- Execution of Persistent Suspicious Program
- First Time Seen Removable Device
- Image File Execution Options Injection
- Installation of Security Support Provider