Persistence via Microsoft Office AddIns

  1[metadata]
  2creation_date = "2020/10/16"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2025/08/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins."
 10from = "now-9m"
 11index = [
 12    "logs-endpoint.events.file-*",
 13    "winlogbeat-*",
 14    "logs-windows.sysmon_operational-*",
 15    "endgame-*",
 16    "logs-m365_defender.event-*",
 17    "logs-sentinel_one_cloud_funnel.*",
 18    "logs-crowdstrike.fdr*",
 19]
 20language = "eql"
 21license = "Elastic License v2"
 22name = "Persistence via Microsoft Office AddIns"
 23note = """## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating Persistence via Microsoft Office AddIns
 29
 30Microsoft Office AddIns enhance productivity by allowing custom functionalities in Office applications. However, adversaries exploit this by placing malicious add-ins in specific startup directories, ensuring execution each time the application launches. The detection rule identifies suspicious files with extensions like .xll or .xlam in these directories, flagging potential persistence mechanisms on Windows systems.
 31
 32### Possible investigation steps
 33
 34- Review the file path and extension from the alert to confirm it matches the suspicious directories and extensions specified in the detection rule, such as .xll or .xlam in the Microsoft Office startup directories.
 35- Check the file creation and modification timestamps to determine when the suspicious file was added or altered, which can help establish a timeline of potential malicious activity.
 36- Investigate the file's origin by examining recent file downloads, email attachments, or network activity that might have introduced the file to the system.
 37- Analyze the file's contents or hash against known malware databases to identify if it is a known threat or potentially malicious.
 38- Review user activity and system logs around the time the file was created or modified to identify any unusual behavior or processes that could be related to the persistence mechanism.
 39- Assess the impacted user's role and access level to determine the potential risk and impact of the persistence mechanism on the organization.
 40
 41### False positive analysis
 42
 43- Legitimate add-ins installed by trusted software vendors may trigger alerts. Verify the source and publisher of the add-in to determine its legitimacy.
 44- Custom add-ins developed internally for business purposes can be flagged. Maintain a whitelist of known internal add-ins to prevent unnecessary alerts.
 45- Frequent updates to legitimate add-ins might cause repeated alerts. Implement version control and update the whitelist accordingly to accommodate these changes.
 46- User-specific add-ins for accessibility or productivity tools may be detected. Educate users on safe add-in practices and monitor for any unusual behavior.
 47- Temporary add-ins used for specific projects or tasks can be mistaken for threats. Document and review these cases to ensure they are recognized as non-threatening.
 48
 49### Response and remediation
 50
 51- Isolate the affected endpoint from the network to prevent further spread of the potential threat.
 52- Terminate any suspicious Microsoft Office processes that may be running add-ins from the identified directories.
 53- Remove the malicious add-in files from the specified startup directories: "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\", "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\", and "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\".
 54- Conduct a full antivirus and antimalware scan on the affected system using tools like Microsoft Defender for Endpoint to ensure no other malicious files are present.
 55- Review and restore any altered system configurations or settings to their default state to ensure system integrity.
 56- Monitor the affected system and network for any signs of re-infection or related suspicious activity, using enhanced logging and alerting mechanisms.
 57- Escalate the incident to the security operations center (SOC) or relevant IT security team for further analysis and to determine if additional systems are affected."""
 58references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"]
 59risk_score = 73
 60rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c"
 61severity = "high"
 62tags = [
 63    "Domain: Endpoint",
 64    "OS: Windows",
 65    "Use Case: Threat Detection",
 66    "Tactic: Persistence",
 67    "Data Source: Elastic Endgame",
 68    "Data Source: Elastic Defend",
 69    "Data Source: Sysmon",
 70    "Data Source: Microsoft Defender for Endpoint",
 71    "Data Source: SentinelOne",
 72    "Data Source: Crowdstrike",
 73    "Resources: Investigation Guide",
 74]
 75timestamp_override = "event.ingested"
 76type = "eql"
 77
 78query = '''
 79file where host.os.type == "windows" and event.type != "deletion" and
 80 file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
 81 file.path : (
 82    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
 83    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
 84    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*",
 85
 86    /* Crowdstrike specific condition as it uses NT Object paths */
 87    "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
 88    "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
 89    "\\Device\\HarddiskVolume*\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
 90 )
 91'''
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1137"
 98name = "Office Application Startup"
 99reference = "https://attack.mitre.org/techniques/T1137/"
100[[rule.threat.technique.subtechnique]]
101id = "T1137.006"
102name = "Add-ins"
103reference = "https://attack.mitre.org/techniques/T1137/006/"
104
105
106
107[rule.threat.tactic]
108id = "TA0003"
109name = "Persistence"
110reference = "https://attack.mitre.org/tactics/TA0003/"