Potential Persistence Via Visual Studio Tools for Office
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Visual Studio Tools for Office
2id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
3status: test
4description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
5references:
6 - https://twitter.com/_vivami/status/1347925307643355138
7 - https://vanmieghem.io/stealth-outlook-persistence/
8author: Bhabesh Raj
9date: 2021-01-10
10modified: 2023-08-28
11tags:
12 - attack.t1137.006
13 - attack.persistence
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains:
20 - '\Software\Microsoft\Office\Outlook\Addins\'
21 - '\Software\Microsoft\Office\Word\Addins\'
22 - '\Software\Microsoft\Office\Excel\Addins\'
23 - '\Software\Microsoft\Office\Powerpoint\Addins\'
24 - '\Software\Microsoft\VSTO\Security\Inclusion\'
25 filter_image:
26 Image|endswith:
27 - '\msiexec.exe'
28 - '\regsvr32.exe' # e.g. default Evernote installation
29 # triggered by a default Office 2019 installation
30 filter_office:
31 Image|endswith:
32 - '\excel.exe'
33 - '\integrator.exe'
34 - '\OfficeClickToRun.exe'
35 - '\winword.exe'
36 - '\visio.exe'
37 filter_teams:
38 Image|endswith: '\Teams.exe'
39 filter_avg:
40 Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
41 TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
42 condition: selection and not 1 of filter_*
43falsepositives:
44 - Legitimate Addin Installation
45level: medium
References
Related rules
- Code Executed Via Office Add-in XLL File
- Potential Persistence Via Excel Add-in - Registry
- Potential Persistence Via Microsoft Office Add-In
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group