Uncommon AddinUtil.EXE CommandLine Execution

calendar Aug 12, 2024 · attack.defense-evasion attack.t1218  ·
Share on: linkedin copy

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.

Sigma rule (View on GitHub)

 1title: Uncommon AddinUtil.EXE CommandLine Execution
 2id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a
 3status: test
 4description: |
 5        Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
 6references:
 7    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
 8author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
 9date: 2023-09-18
10tags:
11    - attack.defense-evasion
12    - attack.t1218
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith: '\addinutil.exe'
19        - OriginalFileName: 'AddInUtil.exe'
20    selection_cli:
21        CommandLine|contains:
22            - '-AddInRoot:'
23            - '-PipelineRoot:'
24    filter_main_addinroot:
25        CommandLine|contains:
26            - '-AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
27            - '-AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
28            - '-PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
29            - '-PipelineRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
30    condition: all of selection_* and not 1 of filter_main_*
31falsepositives:
32    - Unknown
33level: medium

References

Related rules

to-top