Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
Sigma rule (View on GitHub)
1title: Code Executed Via Office Add-in XLL File
2id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
3status: test
4description: |
5 Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
6 Office add-ins can be used to add functionality to Office programs
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
9author: frack113
10date: 2021/12/28
11tags:
12 - attack.persistence
13 - attack.t1137.006
14logsource:
15 product: windows
16 category: ps_script
17 definition: 'Requirements: Script Block Logging must be enabled'
18detection:
19 selection:
20 ScriptBlockText|contains|all:
21 - 'new-object '
22 - '-ComObject '
23 - '.application'
24 - '.RegisterXLL'
25 condition: selection
26falsepositives:
27 - Unknown
28level: high
References
Related rules
- Creation Exe for Service with Unquoted Path
- Manipulation of User Computer or Group Security Principals Across AD
- Powershell Create Scheduled Task
- Powershell LocalAccount Manipulation
- Registry-Free Process Scope COR_PROFILER