Office Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry.

Sigma rule (View on GitHub)

 1title: Office Autorun Keys Modification
 2id: baecf8fb-edbf-429f-9ade-31fc3f22b970
 3related:
 4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
 5      type: obsoletes
 6status: test
 7description: Detects modification of autostart extensibility point (ASEP) in registry.
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
10    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
11    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
12author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
13date: 2019/10/25
14modified: 2023/08/17
15tags:
16    - attack.persistence
17    - attack.t1547.001
18logsource:
19    category: registry_set
20    product: windows
21detection:
22    office:
23        TargetObject|contains:
24            - '\Software\Wow6432Node\Microsoft\Office'
25            - '\Software\Microsoft\Office'
26    office_details:
27        TargetObject|contains:
28            - '\Word\Addins'
29            - '\PowerPoint\Addins'
30            - '\Outlook\Addins'
31            - '\Onenote\Addins'
32            - '\Excel\Addins'
33            - '\Access\Addins'
34            - 'test\Special\Perf'
35    filter_empty:
36        Details: '(Empty)'
37    filter_known_addins:
38        Image|startswith:
39            - 'C:\Program Files\Microsoft Office\'
40            - 'C:\Program Files (x86)\Microsoft Office\'
41            - 'C:\Windows\System32\msiexec.exe'
42            - 'C:\Windows\System32\regsvr32.exe'
43        TargetObject|contains:
44            # Remove any unused addins in your environment from the filter
45            # Known addins for excel
46            - '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
47            - '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
48            - '\Excel\Addins\NativeShim\'
49            - '\Excel\Addins\NativeShim.InquireConnector.1\'
50            - '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
51            # Known addins for outlook
52            - '\Outlook\AddIns\AccessAddin.DC\'
53            - '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
54            - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
55            - '\Outlook\AddIns\EvernoteOLRD.Connect\'
56            # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
57            - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
58            - '\Outlook\Addins\OcOffice.OcForms\'
59            - '\Outlook\Addins\\OneNote.OutlookAddin'
60            - '\Outlook\Addins\OscAddin.Connect\'
61            - '\Outlook\Addins\OutlookChangeNotifier.Connect\'
62            - '\Outlook\Addins\UCAddin.LyncAddin.1'
63            - '\Outlook\Addins\UCAddin.UCAddin.1'
64            - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
65    filter_officeclicktorun:
66        Image|startswith:
67            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
68            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
69        Image|endswith: '\OfficeClickToRun.exe'
70    filter_avg:
71        Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
72        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
73    condition: office and office_details and not 1 of filter_*
74fields:
75    - SecurityID
76    - ObjectName
77    - OldValueType
78    - NewValueType
79falsepositives:
80    - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
81    - Legitimate administrator sets up autorun keys for legitimate reason
82level: medium

References

Related rules

to-top