Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Sigma rule (View on GitHub)
1title: Network Connection Initiated By AddinUtil.EXE
2id: 5205613d-2a63-4412-a895-3a2458b587b3
3status: experimental
4description: |
5 Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
6 This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
7references:
8 - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
9author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
10date: 2023/09/18
11tags:
12 - attack.defense_evasion
13 - attack.t1218
14logsource:
15 category: network_connection
16 product: windows
17detection:
18 selection:
19 Initiated: 'true'
20 Image|endswith: '\addinutil.exe'
21 condition: selection
22falsepositives:
23 - Unknown
24level: medium
References
Related rules
- Import LDAP Data Interchange Format File Via Ldifde.EXE
- Potential Compromised 3CXDesktopApp Execution
- Potential Compromised 3CXDesktopApp Update Activity
- Binary Proxy Execution Via Dotnet-Trace.EXE
- Arbitrary File Download Via MSPUB.EXE