Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Visual Studio Tools for Office
 2id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
 3status: experimental
 4description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
 5references:
 6    - https://twitter.com/_vivami/status/1347925307643355138
 7    - https://vanmieghem.io/stealth-outlook-persistence/
 8author: Bhabesh Raj
 9date: 2021/01/10
10modified: 2023/08/28
11tags:
12    - attack.t1137.006
13    - attack.persistence
14logsource:
15    category: registry_set
16    product: windows
17detection:
18    selection:
19        TargetObject|contains:
20            - '\Software\Microsoft\Office\Outlook\Addins\'
21            - '\Software\Microsoft\Office\Word\Addins\'
22            - '\Software\Microsoft\Office\Excel\Addins\'
23            - '\Software\Microsoft\Office\Powerpoint\Addins\'
24            - '\Software\Microsoft\VSTO\Security\Inclusion\'
25    filter_image:
26        Image|endswith:
27            - '\msiexec.exe'
28            - '\regsvr32.exe' # e.g. default Evernote installation
29    # triggered by a default Office 2019 installation
30    filter_office:
31        Image|endswith:
32            - '\excel.exe'
33            - '\integrator.exe'
34            - '\OfficeClickToRun.exe'
35            - '\winword.exe'
36            - '\visio.exe'
37    filter_teams:
38        Image|endswith: '\Teams.exe'
39    filter_avg:
40        Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
41        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
42    condition: selection and not 1 of filter_*
43falsepositives:
44    - Legitimate Addin Installation
45level: medium

References

Related rules

to-top