Persistence via Microsoft Office AddIns

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne  ·
Share on: linkedin copy

Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/16"
 3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins."
12from = "now-9m"
13index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Persistence via Microsoft Office AddIns"
17references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"]
18risk_score = 73
19rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c"
20severity = "high"
21tags = [
22    "Domain: Endpoint",
23    "OS: Windows",
24    "Use Case: Threat Detection",
25    "Tactic: Persistence",
26    "Data Source: Elastic Endgame",
27    "Data Source: Elastic Defend",
28    "Data Source: Sysmon",
29    "Data Source: Microsoft Defender for Endpoint",
30    "Data Source: SentinelOne",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36file where host.os.type == "windows" and event.type != "deletion" and
37 file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
38 file.path :
39    (
40    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
41    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
42    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
43    )
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1137"
51name = "Office Application Startup"
52reference = "https://attack.mitre.org/techniques/T1137/"
53[[rule.threat.technique.subtechnique]]
54id = "T1137.006"
55name = "Add-ins"
56reference = "https://attack.mitre.org/techniques/T1137/006/"
57
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"

References

  • Add-In Opportunities for Office Persistence

    One software product that attackers will almost certainly find in the environments that they're targeting is Microsoft Office. Office applications due to this ubiquity present a consistent source of opportunity for persistence mechanisms.


    Read More

Related rules

to-top