Techniques
Sample rules
Potential Persistence Via Microsoft Office Add-In
- source: sigma
- technicques:
- t1137
- t1137.006
Description
Detects potential persistence activity via startup add-ins that load when Microsoft Office starts (.wll/.xll are simply .dll fit for Word or Excel).
Detection logic
condition: 1 of selection_*
selection_generic:
TargetFilename|contains: \Microsoft\Addins\
TargetFilename|endswith:
- .xlam
- .xla
- .ppam
selection_wlldropped:
TargetFilename|contains: \Microsoft\Word\Startup\
TargetFilename|endswith: .wll
selection_xladropped:
TargetFilename|contains: Microsoft\Excel\XLSTART\
TargetFilename|endswith: .xlam
selection_xlldropped:
TargetFilename|contains: \Microsoft\Excel\Startup\
TargetFilename|endswith: .xll