Uncommon AddinUtil.EXE CommandLine Execution
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
Sigma rule (View on GitHub)
1title: Uncommon AddinUtil.EXE CommandLine Execution
2id: 4f2cd9b6-4a17-440f-bb2a-687abb65993a
3status: experimental
4description: |
5 Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
6references:
7 - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
8author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
9date: 2023/09/18
10tags:
11 - attack.defense_evasion
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection_img:
18 - Image|endswith: '\addinutil.exe'
19 - OriginalFileName: 'AddInUtil.exe'
20 selection_cli:
21 CommandLine|contains:
22 - '-AddInRoot:'
23 - '-PipelineRoot:'
24 filter_main_addinroot:
25 CommandLine|contains:
26 - '-AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
27 - '-AddInRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
28 - '-PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
29 - '-PipelineRoot:C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA'
30 condition: all of selection_* and not 1 of filter_main_*
31falsepositives:
32 - Unknown
33level: medium
References
Related rules
- AddinUtil.EXE Execution From Uncommon Directory
- Uncommon Child Process Of AddinUtil.EXE
- Time Travel Debugging Utility Usage - Image
- Suspicious Calc Child Process
- Suspicious Process Injection to Explorer