Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Sigma rule (View on GitHub)
1title: Network Connection Initiated By AddinUtil.EXE
2id: 5205613d-2a63-4412-a895-3a2458b587b3
3status: test
4description: |
5 Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
6 This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
7references:
8 - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
9author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
10date: 2023-09-18
11modified: 2024-07-16
12tags:
13 - attack.defense-evasion
14 - attack.t1218
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Initiated: 'true'
21 Image|endswith: '\addinutil.exe'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE