Potential Persistence Via Visual Studio Tools for Office
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Visual Studio Tools for Office
2id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
3status: test
4description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
5references:
6 - https://twitter.com/_vivami/status/1347925307643355138
7 - https://vanmieghem.io/stealth-outlook-persistence/
8author: Bhabesh Raj
9date: 2021-01-10
10modified: 2025-10-07
11tags:
12 - attack.t1137.006
13 - attack.persistence
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains:
20 - '\Software\Microsoft\Office\Outlook\Addins\'
21 - '\Software\Microsoft\Office\Word\Addins\'
22 - '\Software\Microsoft\Office\Excel\Addins\'
23 - '\Software\Microsoft\Office\Powerpoint\Addins\'
24 - '\Software\Microsoft\VSTO\Security\Inclusion\'
25 filter_main_system:
26 Image:
27 - 'C:\Windows\System32\msiexec.exe'
28 - 'C:\Windows\SysWOW64\msiexec.exe'
29 - 'C:\Windows\System32\regsvr32.exe'
30 - 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
31 filter_main_office_click_to_run:
32 Image|startswith:
33 - 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
34 - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
35 Image|endswith: '\OfficeClickToRun.exe'
36 filter_main_integrator:
37 Image:
38 - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
39 - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
40 filter_main_office_apps:
41 Image|startswith:
42 - 'C:\Program Files\Microsoft Office\OFFICE'
43 - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
44 - 'C:\Program Files\Microsoft Office\Root\OFFICE'
45 - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
46 Image|endswith:
47 - '\excel.exe'
48 - '\Integrator.exe'
49 - '\outlook.exe'
50 - '\powerpnt.exe'
51 - '\Teams.exe'
52 - '\visio.exe'
53 - '\winword.exe'
54 filter_optional_avg:
55 Image:
56 - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
57 - 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
58 TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
59 filter_optional_avast:
60 Image:
61 - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
62 - 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
63 TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
64 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
65falsepositives:
66 - Legitimate Addin Installation
67level: medium
References
Related rules
- Code Executed Via Office Add-in XLL File
- Potential Persistence Via Excel Add-in - Registry
- Potential Persistence Via Microsoft Office Add-In
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification