Persistence via Microsoft Office AddIns

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/16"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins."
10from = "now-9m"
11index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
12language = "eql"
13license = "Elastic License v2"
14name = "Persistence via Microsoft Office AddIns"
15references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"]
16risk_score = 73
17rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c"
18setup = """## Setup
19
20If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
21events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
22Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
23`event.ingested` to @timestamp.
24For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
25"""
26severity = "high"
27tags = [
28    "Domain: Endpoint",
29    "OS: Windows",
30    "Use Case: Threat Detection",
31    "Tactic: Persistence",
32    "Data Source: Elastic Endgame",
33    "Data Source: Elastic Defend",
34    "Data Source: Sysmon",
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40file where host.os.type == "windows" and event.type != "deletion" and
41 file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
42 file.path :
43    (
44    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
45    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
46    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
47    )
48'''
49
50
51[[rule.threat]]
52framework = "MITRE ATT&CK"
53[[rule.threat.technique]]
54id = "T1137"
55name = "Office Application Startup"
56reference = "https://attack.mitre.org/techniques/T1137/"
57[[rule.threat.technique.subtechnique]]
58id = "T1137.006"
59name = "Add-ins"
60reference = "https://attack.mitre.org/techniques/T1137/006/"
61
62
63
64[rule.threat.tactic]
65id = "TA0003"
66name = "Persistence"
67reference = "https://attack.mitre.org/tactics/TA0003/"

References

  • Add-In Opportunities for Office Persistence

    One software product that attackers will almost certainly find in the environments that they're targeting is Microsoft Office. Office applications due to this ubiquity present a consistent source of opportunity for persistence mechanisms.


    Read More

Related rules

to-top