Find sigma rule

Attack: Office Application Startup: Add-ins

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)

Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.

MITRE

Tactic

persistence

technique

T1137.006

Test : Code Executed Via Excel Add-in File (XLL)

OS

windows

Description:

Loads an XLL file using the excel add-ins library. This causes excel to launch Notepad.exe as a child process. This atomic test does not include persistent code execution as you would typically see when this is implemented in malware.

Executor

powershell

Sigma Rule

posh_ps_office_comobject_registerxll.yml (id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad)
proc_creation_win_susp_script_exec_from_temp.yml (id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test