Office Autorun Keys Modification

calendar Apr 27, 2026 · attack.privilege-escalation attack.persistence attack.t1547.001  ·
Share on: linkedin copy

Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive. Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.

Sigma rule (View on GitHub)

  1title: Office Autorun Keys Modification
  2id: baecf8fb-edbf-429f-9ade-31fc3f22b970
  3related:
  4    - id: 17f878b8-9968-4578-b814-c4217fc5768c
  5      type: obsolete
  6status: test
  7description: |
  8    Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened.
  9    There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive.
 10    Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.    
 11references:
 12    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
 13    - https://learn.microsoft.com/en-us/sysinternals/downloads/autoruns
 14    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 15author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split)
 16date: 2019-10-25
 17modified: 2026-01-09
 18tags:
 19    - attack.privilege-escalation
 20    - attack.persistence
 21    - attack.t1547.001
 22logsource:
 23    category: registry_set
 24    product: windows
 25detection:
 26    selection_office_root:
 27        TargetObject|contains:
 28            - '\Software\Wow6432Node\Microsoft\Office'
 29            - '\Software\Microsoft\Office'
 30    selection_office_details:
 31        TargetObject|contains:
 32            - '\Word\Addins'
 33            - '\PowerPoint\Addins'
 34            - '\Outlook\Addins'
 35            - '\Onenote\Addins'
 36            - '\Excel\Addins'
 37            - '\Access\Addins'
 38            - 'test\Special\Perf'
 39    filter_main_empty:
 40        Details: '(Empty)'
 41    filter_main_null:
 42        Details: null
 43    filter_main_known_addins:
 44        Image|startswith:
 45            - 'C:\Program Files\Microsoft Office\'
 46            - 'C:\Program Files (x86)\Microsoft Office\'
 47            - 'C:\PROGRA~2\MICROS~2\Office'
 48            - 'C:\Windows\System32\msiexec.exe'
 49            - 'C:\Windows\SysWOW64\msiexec.exe'
 50            - 'C:\Windows\System32\regsvr32.exe'
 51            - 'C:\Windows\SysWOW64\regsvr32.exe '
 52        TargetObject|contains:
 53            # Remove any unused addins in your environment from the filter
 54            # Known addins for excel
 55            - '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
 56            - '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
 57            - '\Excel\Addins\NativeShim\'
 58            - '\Excel\Addins\NativeShim.InquireConnector.1\'
 59            - '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
 60            # Known addins for outlook
 61            - '\Outlook\AddIns\AccessAddin.DC\'
 62            - '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
 63            - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
 64            - '\Outlook\AddIns\EvernoteOLRD.Connect\'
 65            # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
 66            - '\Outlook\Addins\\OneNote.OutlookAddin'
 67            - '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
 68            - '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
 69            - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
 70            - '\Outlook\Addins\OcOffice.OcForms\'
 71            - '\Outlook\Addins\OscAddin.Connect\'
 72            - '\Outlook\Addins\OutlookChangeNotifier.Connect\'
 73            - '\Outlook\Addins\UCAddin.LyncAddin.1'
 74            - '\Outlook\Addins\UCAddin.UCAddin.1'
 75            - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
 76            - 'AddinTakeNotesService\FriendlyName'
 77    filter_main_officeclicktorun:
 78        Image|startswith:
 79            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
 80            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
 81        Image|endswith: '\OfficeClickToRun.exe'
 82    filter_main_vsto:
 83        Image|startswith:
 84            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
 85            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
 86        Image|endswith: '\VSTOInstaller.exe'
 87    filter_optional_avg:
 88        Image:
 89            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
 90            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
 91        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
 92    filter_optional_avast:
 93        Image:
 94            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
 95            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
 96        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
 97    # These filters are not exhaustive, filter can be expanded based on environment
 98    condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
 99falsepositives:
100    - Legitimate software or add-in installations and administrative configurations
101    - Automatic registry modifications during legitimate software installations
102level: medium

References

Related rules

to-top