Uncommon Child Process Of AddinUtil.EXE

Oct 5, 2023 · attack.defense_evasion attack.t1218 ·

Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.

Sigma rule (View on GitHub)

 1title: Uncommon Child Process Of AddinUtil.EXE
 2id: b5746143-59d6-4603-8d06-acbd60e166ee
 3status: experimental
 4description: |
 5        Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
 6references:
 7    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
 8author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
 9date: 2023/09/18
10tags:
11    - attack.defense_evasion
12    - attack.t1218
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith: '\addinutil.exe'
19    filter_main_werfault:
20        Image|endswith:
21            - ':\Windows\System32\conhost.exe'
22            - ':\Windows\System32\werfault.exe'
23            - ':\Windows\SysWOW64\werfault.exe'
24    condition: selection and not 1 of filter_main_*
25falsepositives:
26    - Unknown
27level: medium

References

Blue-Prints Blog - Insecure Deserialization in AddinUtil.exe

We explore a method to gain proxy execution through the native .NET utility AddinUtil.exe

Read More

Uncommon Child Process Of AddinUtil.EXE

Sigma rule (View on GitHub)

References

Blue-Prints Blog - Insecure Deserialization in AddinUtil.exe

Related rules