Find sigma rule
Attack: Office Application Startup: Add-ins
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)
Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.
MITRE
Tactic
- persistence
technique
- T1137.006
Test : Persistent Code Execution Via Word Add-in File (WLL)
OS
- windows
Description:
Creates a Word Add-in file (WLL) which runs automatically when Word is started The sample WLL provided launches the notepad as a proof-of-concept for persistent execution from Office. Successfully tested on 32-bit Office 2016. Not successful from microsoft 365 version of Office.
Executor
powershell
Sigma Rule
-
proc_creation_win_office_svchost_parent.yml (id: 9bdaf1e9-fdef-443b-8081-4341b74a7e28)
-
file_event_win_office_addin_persistence.yml (id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936)