AddinUtil.EXE Execution From Uncommon Directory
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
Sigma rule (View on GitHub)
1title: AddinUtil.EXE Execution From Uncommon Directory
2id: 6120ac2a-a34b-42c0-a9bd-1fb9f459f348
3status: test
4description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
5references:
6 - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
7author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
8date: 2023-09-18
9modified: 2025-02-24
10tags:
11 - attack.defense-evasion
12 - attack.t1218
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 - Image|endswith: '\addinutil.exe'
19 - OriginalFileName: 'AddInUtil.exe'
20 filter_main_legit_location:
21 Image|contains:
22 - ':\Windows\Microsoft.NET\Framework\'
23 - ':\Windows\Microsoft.NET\Framework64\'
24 - ':\Windows\Microsoft.NET\FrameworkArm\'
25 - ':\Windows\Microsoft.NET\FrameworkArm64\'
26 - ':\Windows\WinSxS\'
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unknown
30level: medium
References
Related rules
- MSI Installation From Web
- BitLockerTogo.EXE Execution
- Potential Binary Impersonating Sysinternals Tools
- Potentially Suspicious CMD Shell Output Redirect
- Renamed ZOHO Dctask64 Execution