Uncommon Child Process Of AddinUtil.EXE
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Sigma rule (View on GitHub)
1title: Uncommon Child Process Of AddinUtil.EXE
2id: b5746143-59d6-4603-8d06-acbd60e166ee
3status: experimental
4description: |
5 Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
6references:
7 - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
8author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
9date: 2023/09/18
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\addinutil.exe'
19 filter_main_werfault:
20 Image|endswith:
21 - ':\Windows\System32\conhost.exe'
22 - ':\Windows\System32\werfault.exe'
23 - ':\Windows\SysWOW64\werfault.exe'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- AddinUtil.EXE Execution From Uncommon Directory
- Uncommon AddinUtil.EXE CommandLine Execution
- Time Travel Debugging Utility Usage - Image
- Suspicious Calc Child Process
- Suspicious Process Injection to Explorer