Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
Sigma rule (View on GitHub)
1title: Code Executed Via Office Add-in XLL File
2id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
3status: test
4description: |
5 Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
6 Office add-ins can be used to add functionality to Office programs
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
9author: frack113
10date: 2021-12-28
11tags:
12 - attack.persistence
13 - attack.t1137.006
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains|all:
21 - 'new-object '
22 - '-ComObject '
23 - '.application'
24 - '.RegisterXLL'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Potential Persistence Via Excel Add-in - Registry
- Potential Persistence Via Microsoft Office Add-In
- Potential Persistence Via Visual Studio Tools for Office
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group