automatic registry modifications during legitimate software installations

Techniques

Sample rules

Office Autorun Keys Modification

source: sigma
technicques:
- t1547
- t1547.001

Description

Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive. Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.

Detection logic

condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_empty:
  Details: (Empty)
filter_main_known_addins:
  Image|startswith:
  - C:\Program Files\Microsoft Office\
  - C:\Program Files (x86)\Microsoft Office\
  - C:\PROGRA~2\MICROS~2\Office
  - C:\Windows\System32\msiexec.exe
  - C:\Windows\SysWOW64\msiexec.exe
  - C:\Windows\System32\regsvr32.exe
  - 'C:\Windows\SysWOW64\regsvr32.exe '
  TargetObject|contains:
  - \Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\
  - \Excel\Addins\ExcelPlugInShell.PowerMapConnect\
  - \Excel\Addins\NativeShim\
  - \Excel\Addins\NativeShim.InquireConnector.1\
  - \Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\
  - \Outlook\AddIns\AccessAddin.DC\
  - \Outlook\AddIns\ColleagueImport.ColleagueImportAddin\
  - \Outlook\AddIns\EvernoteCC.EvernoteContactConnector\
  - \Outlook\AddIns\EvernoteOLRD.Connect\
  - \Outlook\Addins\\OneNote.OutlookAddin
  - \Outlook\Addins\DriveFSExtensionLib.Connect\
  - \Outlook\Addins\GoogleAppsSync.Connect\
  - \Outlook\Addins\Microsoft.VbaAddinForOutlook.1\
  - \Outlook\Addins\OcOffice.OcForms\
  - \Outlook\Addins\OscAddin.Connect\
  - \Outlook\Addins\OutlookChangeNotifier.Connect\
  - \Outlook\Addins\UCAddin.LyncAddin.1
  - \Outlook\Addins\UCAddin.UCAddin.1
  - \Outlook\Addins\UmOutlookAddin.FormRegionAddin\
  - AddinTakeNotesService\FriendlyName
filter_main_null:
  Details: null
filter_main_officeclicktorun:
  Image|endswith: \OfficeClickToRun.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\
filter_main_vsto:
  Image|endswith: \VSTOInstaller.exe
  Image|startswith:
  - C:\Program Files\Common Files\Microsoft Shared\VSTO\
  - C:\Program Files (x86)\Microsoft Shared\VSTO\
filter_optional_avast:
  Image:
  - C:\Program Files\Avast Software\Avast\RegSvr.exe
  - C:\Program Files\Avast Software\Avast\x86\RegSvr.exe
  TargetObject|contains: \Microsoft\Office\Outlook\Addins\Avast.AsOutExt\
filter_optional_avg:
  Image:
  - C:\Program Files\AVG\Antivirus\RegSvr.exe
  - C:\Program Files\AVG\Antivirus\x86\RegSvr.exe
  TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\
selection_office_details:
  TargetObject|contains:
  - \Word\Addins
  - \PowerPoint\Addins
  - \Outlook\Addins
  - \Onenote\Addins
  - \Excel\Addins
  - \Access\Addins
  - test\Special\Perf
selection_office_root:
  TargetObject|contains:
  - \Software\Wow6432Node\Microsoft\Office
  - \Software\Microsoft\Office