Persistence via Microsoft Office AddIns
Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/16"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins."
12from = "now-9m"
13index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Persistence via Microsoft Office AddIns"
17references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"]
18risk_score = 73
19rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c"
20severity = "high"
21tags = [
22 "Domain: Endpoint",
23 "OS: Windows",
24 "Use Case: Threat Detection",
25 "Tactic: Persistence",
26 "Data Source: Elastic Endgame",
27 "Data Source: Elastic Defend",
28 "Data Source: Sysmon",
29 "Data Source: Microsoft Defender for Endpoint",
30 "Data Source: SentinelOne",
31]
32timestamp_override = "event.ingested"
33type = "eql"
34
35query = '''
36file where host.os.type == "windows" and event.type != "deletion" and
37 file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
38 file.path :
39 (
40 "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
41 "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
42 "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
43 )
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1137"
51name = "Office Application Startup"
52reference = "https://attack.mitre.org/techniques/T1137/"
53[[rule.threat.technique.subtechnique]]
54id = "T1137.006"
55name = "Add-ins"
56reference = "https://attack.mitre.org/techniques/T1137/006/"
57
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Browser Extension Install
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service