Potential Persistence Via Excel Add-in - Registry
Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
Sigma rule (View on GitHub)
1title: Potential Persistence Via Excel Add-in - Registry
2id: 961e33d1-4f86-4fcf-80ab-930a708b2f82
3status: test
4description: Detect potential persistence via the creation of an excel add-in (XLL) file to make it run automatically when Excel is started.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md
7 - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
8author: frack113
9date: 2023-01-15
10modified: 2023-08-17
11tags:
12 - attack.persistence
13 - attack.t1137.006
14logsource:
15 product: windows
16 category: registry_set
17detection:
18 selection:
19 TargetObject|contains: 'Software\Microsoft\Office\'
20 TargetObject|endswith: '\Excel\Options'
21 Details|startswith: '/R '
22 Details|endswith: '.xll'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
One software product that attackers will almost certainly find in the environments that they're targeting is Microsoft Office. Office applications due to this ubiquity present a consistent source of opportunity for persistence mechanisms.
Read More
Related rules
- Code Executed Via Office Add-in XLL File
- Potential Persistence Via Microsoft Office Add-In
- Potential Persistence Via Visual Studio Tools for Office
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group