Network Connection Initiated By AddinUtil.EXE
Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
Sigma rule (View on GitHub)
1title: Network Connection Initiated By AddinUtil.EXE
2id: 5205613d-2a63-4412-a895-3a2458b587b3
3status: test
4description: |
5 Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe".
6 This could indicate a potential command and control communication as this tool doesn't usually initiate network activity.
7references:
8 - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
9author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
10date: 2023/09/18
11modified: 2024/07/16
12tags:
13 - attack.defense_evasion
14 - attack.t1218
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Initiated: 'true'
21 Image|endswith: '\addinutil.exe'
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
Related rules
- Uncommon Child Process Of Setres.EXE
- Uncommon Link.EXE Parent Process
- BitLockerTogo.EXE Execution
- AgentExecutor PowerShell Execution
- Malicious PE Execution by Microsoft Visual Studio Debugger