From 47995cc8e5a3e3b47c6ee29b4348bd4c81d67fd4 Mon Sep 17 00:00:00 2001 From: rabbitstack Date: Tue, 15 Apr 2025 18:36:04 +0200 Subject: [PATCH] feat(rules): Suspicious Microsoft Office add-in loaded Identifies attempts to load unsigned executables from Microsoft Office add-ins directories, which adversaries may exploit to maintain persistence. --- ...spicious_microsoft_office_addin_loaded.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/persistence_suspicious_microsoft_office_addin_loaded.yml diff --git a/rules/persistence_suspicious_microsoft_office_addin_loaded.yml b/rules/persistence_suspicious_microsoft_office_addin_loaded.yml new file mode 100644 index 000000000..43eaead94 --- /dev/null +++ b/rules/persistence_suspicious_microsoft_office_addin_loaded.yml @@ -0,0 +1,32 @@ +name: Suspicious Microsoft Office add-in loaded +id: fe4daff8-d8aa-48d3-bf09-a9d868375a3c +version: 1.0.0 +description: | + Identifies attempts to load unsigned executables from known Microsoft Office + add-ins directories, which adversaries may exploit to maintain persistence. +labels: + tactic.id: TA0003 + tactic.name: Persistence + tactic.ref: https://attack.mitre.org/tactics/TA0003/ + technique.id: T1137 + technique.name: Office Application Startup + technique.ref: https://attack.mitre.org/techniques/T1137/ +references: + - https://github.com/3gstudent/Office-Persistence/blob/master/OfficePersistence.ps1 + +condition: > + (load_unsigned_or_untrusted_module) and ps.name iin ('excel.exe', 'winword.exe', 'outlook.exe', 'powerpnt.exe') + and + image.path imatches + ( + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\AddIns\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Word\\Startup\\*', + '?:\\Users\\*\\AppData\\Roaming\\Microsoft\\Outlook\\*' + ) + +output: + Microsoft Office process %ps.name loaded a suspicious add-in %image.path +severity: high + +min-engine-version: 2.4.0