Techniques
Sample rules
Potential Persistence Via Visual Studio Tools for Office
- source: sigma
- technicques:
- t1137
- t1137.006
Description
Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_integrator:
Image:
- C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
- C:\Program Files\Microsoft Office\root\integration\integrator.exe
filter_main_office_apps:
Image|endswith:
- \excel.exe
- \Integrator.exe
- \outlook.exe
- \powerpnt.exe
- \Teams.exe
- \visio.exe
- \winword.exe
Image|startswith:
- C:\Program Files\Microsoft Office\OFFICE
- C:\Program Files (x86)\Microsoft Office\OFFICE
- C:\Program Files\Microsoft Office\Root\OFFICE
- C:\Program Files (x86)\Microsoft Office\Root\OFFICE
filter_main_office_click_to_run:
Image|endswith: \OfficeClickToRun.exe
Image|startswith:
- C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
filter_main_system:
Image:
- C:\Windows\System32\msiexec.exe
- C:\Windows\SysWOW64\msiexec.exe
- C:\Windows\System32\regsvr32.exe
- C:\Windows\SysWOW64\regsvr32.exe
filter_optional_avast:
Image:
- C:\Program Files\Avast Software\Avast\RegSvr.exe
- C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe
TargetObject|contains: \Microsoft\Office\Outlook\Addins\Avast.AsOutExt\
filter_optional_avg:
Image:
- C:\Program Files\AVG\Antivirus\RegSvr.exe
- C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe
TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\
selection:
TargetObject|contains:
- \Software\Microsoft\Office\Outlook\Addins\
- \Software\Microsoft\Office\Word\Addins\
- \Software\Microsoft\Office\Excel\Addins\
- \Software\Microsoft\Office\Powerpoint\Addins\
- \Software\Microsoft\VSTO\Security\Inclusion\