Techniques
Sample rules
Potential Persistence Via Visual Studio Tools for Office
- source: sigma
- technicques:
- t1137
- t1137.006
Description
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
Detection logic
condition: selection and not 1 of filter_*
filter_avg:
Image: C:\Program Files\AVG\Antivirus\RegSvr.exe
TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\
filter_image:
Image|endswith:
- \msiexec.exe
- \regsvr32.exe
filter_office:
Image|endswith:
- \excel.exe
- \integrator.exe
- \OfficeClickToRun.exe
- \winword.exe
- \visio.exe
filter_teams:
Image|endswith: \Teams.exe
selection:
TargetObject|contains:
- \Software\Microsoft\Office\Outlook\Addins\
- \Software\Microsoft\Office\Word\Addins\
- \Software\Microsoft\Office\Excel\Addins\
- \Software\Microsoft\Office\Powerpoint\Addins\
- \Software\Microsoft\VSTO\Security\Inclusion\