Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Visual Studio Tools for Office
 2id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
 3status: test
 4description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
 5references:
 6    - https://twitter.com/_vivami/status/1347925307643355138
 7    - https://vanmieghem.io/stealth-outlook-persistence/
 8author: Bhabesh Raj
 9date: 2021-01-10
10modified: 2025-10-07
11tags:
12    - attack.t1137.006
13    - attack.persistence
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|contains:
20            - '\Software\Microsoft\Office\Outlook\Addins\'
21            - '\Software\Microsoft\Office\Word\Addins\'
22            - '\Software\Microsoft\Office\Excel\Addins\'
23            - '\Software\Microsoft\Office\Powerpoint\Addins\'
24            - '\Software\Microsoft\VSTO\Security\Inclusion\'
25    filter_main_system:
26        Image:
27            - 'C:\Windows\System32\msiexec.exe'
28            - 'C:\Windows\SysWOW64\msiexec.exe'
29            - 'C:\Windows\System32\regsvr32.exe'
30            - 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
31    filter_main_office_click_to_run:
32        Image|startswith:
33            - 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
34            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
35        Image|endswith: '\OfficeClickToRun.exe'
36    filter_main_integrator:
37        Image:
38            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
39            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
40    filter_main_office_apps:
41        Image|startswith:
42            - 'C:\Program Files\Microsoft Office\OFFICE'
43            - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
44            - 'C:\Program Files\Microsoft Office\Root\OFFICE'
45            - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
46        Image|endswith:
47            - '\excel.exe'
48            - '\Integrator.exe'
49            - '\outlook.exe'
50            - '\powerpnt.exe'
51            - '\Teams.exe'
52            - '\visio.exe'
53            - '\winword.exe'
54    filter_optional_avg:
55        Image:
56            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
57            - 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
58        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
59    filter_optional_avast:
60        Image:
61            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
62            - 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
63        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
64    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
65falsepositives:
66    - Legitimate Addin Installation
67level: medium

References

Related rules

to-top