detection.wiki

Detection rules › Sigma

Suspicious AddinUtil.EXE CommandLine Execution

Status
test
Severity
high
Log source
product windows, category process_creation
Author
Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
Source
github.com/SigmaHQ/sigma

Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.

MITRE ATT&CK coverage

TacticTechniques
StealthT1218 System Binary Proxy Execution

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: Suspicious AddinUtil.EXE CommandLine Execution
id: 631b22a4-70f4-4e2f-9ea8-42f84d9df6d8
status: test
description: |
    Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\addinutil.exe'
        - OriginalFileName: 'AddInUtil.exe'
    selection_susp_1_flags:
        CommandLine|contains:
            - '-AddInRoot:'
            - '-PipelineRoot:'
    selection_susp_1_paths:
        CommandLine|contains:
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Users\Public\'
            - '\Windows\Temp\'
    selection_susp_2:
        CommandLine|contains:
            - '-AddInRoot:.'
            - '-AddInRoot:"."'
            - '-PipelineRoot:.'
            - '-PipelineRoot:"."'
        CurrentDirectory|contains:
            - '\AppData\Local\Temp\'
            - '\Desktop\'
            - '\Downloads\'
            - '\Users\Public\'
            - '\Windows\Temp\'
    condition: selection_img and (all of selection_susp_1_* or selection_susp_2)
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

selection_img and (all of selection_susp_1_* or selection_susp_2)

Stage 1: selection_img

selection_img:
    - Image|endswith: '\addinutil.exe'
    - OriginalFileName: 'AddInUtil.exe'

Stage 2: selection_susp_1_flags

selection_susp_1_flags:
    CommandLine|contains:
        - '-AddInRoot:'
        - '-PipelineRoot:'

Stage 3: selection_susp_1_paths

selection_susp_1_paths:
    CommandLine|contains:
        - '\AppData\Local\Temp\'
        - '\Desktop\'
        - '\Downloads\'
        - '\Users\Public\'
        - '\Windows\Temp\'

Stage 4: selection_susp_2

selection_susp_2:
    CommandLine|contains:
        - '-AddInRoot:.'
        - '-AddInRoot:"."'
        - '-PipelineRoot:.'
        - '-PipelineRoot:"."'
    CurrentDirectory|contains:
        - '\AppData\Local\Temp\'
        - '\Desktop\'
        - '\Downloads\'
        - '\Users\Public\'
        - '\Windows\Temp\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -AddInRoot: corpus 2 (sigma 2)
  • -AddInRoot:"."
  • -AddInRoot:.
  • -PipelineRoot: corpus 2 (sigma 2)
  • -PipelineRoot:"."
  • -PipelineRoot:.
  • \AppData\Local\Temp\ corpus 26 (sigma 26)
  • \Desktop\ corpus 13 (sigma 13)
  • \Downloads\ corpus 14 (sigma 14)
  • \Users\Public\ corpus 17 (sigma 17)
  • \Windows\Temp\ corpus 12 (sigma 12)
CurrentDirectorymatch
  • \AppData\Local\Temp\
  • \Desktop\
  • \Downloads\
  • \Users\Public\
  • \Windows\Temp\
Imageends_with
  • \addinutil.exe corpus 4 (sigma 4)
OriginalFileNameeq
  • AddInUtil.exe corpus 3 (sigma 3)