Elastic Security Detection Rules

Suspicious Execution via Microsoft Office Add-Ins

Last updated 5 months ago on 2025-03-20
Created 2 years ago on 2023-03-20

About

Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Initial AccessTactic: PersistenceData Source: Elastic EndgameData Source: Elastic DefendData Source: SysmonData Source: Microsoft Defender for EndpointData Source: SentinelOneLanguage: eql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

Phishing (T1566)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Office Application Startup (T1137)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Rule Type
Event Correlation Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
winlogbeat-*logs-endpoint.events.process-*logs-windows.sysmon_operational-*endgame-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*
Related Integrations

endpoint(opens in a new tab or window)

windows(opens in a new tab or window)

m365_defender(opens in a new tab or window)

sentinel_one_cloud_funnel(opens in a new tab or window)

Query
process where

    host.os.type == "windows" and event.type == "start" and

    process.name : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and

    process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and

    /* Office Add-In from suspicious paths */
    (process.args :
             ("?:\\Users\\*\\Temp\\7z*",
              "?:\\Users\\*\\Temp\\Rar$*",
              "?:\\Users\\*\\Temp\\Temp?_*",
              "?:\\Users\\*\\Temp\\BNZ.*",
              "?:\\Users\\*\\Downloads\\*",
              "?:\\Users\\*\\AppData\\Roaming\\*",
              "?:\\Users\\Public\\*",
              "?:\\ProgramData\\*",
              "?:\\Windows\\Temp\\*",
              "\\Device\\*",
              "http*") or

    process.parent.name : ("explorer.exe", "OpenWith.exe") or

    /* Office Add-In from suspicious parent */
    process.parent.name : ("cmd.exe", "powershell.exe")) and

    /* False Positives */
    not (process.args : "*.vsto" and
         process.parent.executable :
                   ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
                    "?:\\ProgramData\\Logishrd\\LogiOptions\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
                    "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
                    "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
                    "?:\\ProgramData\\Logishrd\\LogiOptionsPlus\\Plugins\\VSTO\\*\\VSTOInstaller.exe",
                    "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
    not (process.args : "/Uninstall" and process.name : "VSTOInstaller.exe") and
    not (process.parent.name : "rundll32.exe" and
         process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
    not (process.name : "VSTOInstaller.exe" and process.args : "https://dl.getsidekick.com/outlook/vsto/Sidekick.vsto")

Install detection rules in Elastic Security

Detect Suspicious Execution via Microsoft Office Add-Ins in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).