Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Office Autorun Keys Modification

Detects modification of autostart extensibility point (ASEP) in registry. Adversaries may modify these keys to execute malicious code when Office files are opened. There are various legitimate add-ins that also use these keys and this filter list might not be exhaustive. Thus, it is recommended to review and tune filters for your environment to reduce false positives before deploying to production.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François HubautCreated Fri Oct 25Updated Fri Jan 09baecf8fb-edbf-429f-9ade-31fc3f22b970windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic9 selectors
detection:
    selection_office_root:
        TargetObject|contains:
            - '\Software\Wow6432Node\Microsoft\Office'
            - '\Software\Microsoft\Office'
    selection_office_details:
        TargetObject|contains:
            - '\Word\Addins'
            - '\PowerPoint\Addins'
            - '\Outlook\Addins'
            - '\Onenote\Addins'
            - '\Excel\Addins'
            - '\Access\Addins'
            - 'test\Special\Perf'
    filter_main_empty:
        Details: '(Empty)'
    filter_main_null:
        Details: null
    filter_main_known_addins:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\'
            - 'C:\Program Files (x86)\Microsoft Office\'
            - 'C:\PROGRA~2\MICROS~2\Office'
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\regsvr32.exe'
            - 'C:\Windows\SysWOW64\regsvr32.exe '
        TargetObject|contains:
            # Remove any unused addins in your environment from the filter
            # Known addins for excel
            - '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
            - '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
            - '\Excel\Addins\NativeShim\'
            - '\Excel\Addins\NativeShim.InquireConnector.1\'
            - '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
            # Known addins for outlook
            - '\Outlook\AddIns\AccessAddin.DC\'
            - '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
            - '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
            - '\Outlook\AddIns\EvernoteOLRD.Connect\'
            # - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
            - '\Outlook\Addins\\OneNote.OutlookAddin'
            - '\Outlook\Addins\DriveFSExtensionLib.Connect\' # An Outlook Add-in to talk with Google Drive
            - '\Outlook\Addins\GoogleAppsSync.Connect\' # Google Apps Sync for Microsoft Outlook
            - '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
            - '\Outlook\Addins\OcOffice.OcForms\'
            - '\Outlook\Addins\OscAddin.Connect\'
            - '\Outlook\Addins\OutlookChangeNotifier.Connect\'
            - '\Outlook\Addins\UCAddin.LyncAddin.1'
            - '\Outlook\Addins\UCAddin.UCAddin.1'
            - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
            - 'AddinTakeNotesService\FriendlyName'
    filter_main_officeclicktorun:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_vsto:
        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
            - 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
        Image|endswith: '\VSTOInstaller.exe'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
    # These filters are not exhaustive, filter can be expanded based on environment
    condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*
False Positives

Legitimate software or add-in installations and administrative configurations

Automatic registry modifications during legitimate software installations

References
1
Resolving title…
github.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
gist.github.com
MITRE ATT&CK
Related Rules
Similar

17f878b8-9968-4578-b814-c4217fc5768c

Rule not found
Rule Metadata
Rule ID
baecf8fb-edbf-429f-9ade-31fc3f22b970
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Fri Jan 09
Author
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François Hubaut
Path
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001
View on GitHub