Persistence via Microsoft Office AddIns

calendar Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/10/16"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = "Detects attempts to establish persistence on an endpoint by abusing Microsoft Office add-ins."
12from = "now-9m"
13index = ["logs-endpoint.events.file-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
14language = "eql"
15license = "Elastic License v2"
16name = "Persistence via Microsoft Office AddIns"
17references = ["https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence"]
18risk_score = 73
19rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c"
20setup = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
23events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
24Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
25`event.ingested` to @timestamp.
26For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
27"""
28severity = "high"
29tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34file where host.os.type == "windows" and event.type != "deletion" and
35 file.extension : ("wll","xll","ppa","ppam","xla","xlam") and
36 file.path :
37    (
38    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*",
39    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*",
40    "C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*"
41    )
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1137"
49name = "Office Application Startup"
50reference = "https://attack.mitre.org/techniques/T1137/"
51
52[[rule.threat.technique.subtechnique]]
53id = "T1137.006"
54name = "Add-ins"
55reference = "https://attack.mitre.org/techniques/T1137/006/"
56
57[rule.threat.tactic]
58id = "TA0003"
59name = "Persistence"
60reference = "https://attack.mitre.org/tactics/TA0003/"

References

  • Add-In Opportunities for Office Persistence

    One software product that attackers will almost certainly find in the environments that they're targeting is Microsoft Office. Office applications due to this ubiquity present a consistent source of opportunity for persistence mechanisms.


    Read More

Related rules

to-top