Persistence via Microsoft Office AddIns

calendar Sep 5, 2023 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/16"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins."
12from = "now-9m"
13index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Persistence via Microsoft Office AddIns"
17note = """## Setup
18
19If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
20"""
21references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"]
22risk_score = 73
23rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c"
24severity = "high"
25tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30file where host.os.type == "windows" and event.type != "deletion" and
31 file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
32 file.path :
33    (
34    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
35    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
36    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
37    )
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1137"
45name = "Office Application Startup"
46reference = "https://attack.mitre.org/techniques/T1137/"
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

References

  • Add-In Opportunities for Office Persistence

    One software product that attackers will almost certainly find in the environments that they're targeting is Microsoft Office. Office applications due to this ubiquity present a consistent source of opportunity for persistence mechanisms.


    Read More

Related rules

to-top