Detectionmediumtest
Office Autorun Keys Modification
Detects modification of autostart extensibility point (ASEP) in registry.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, François HubautCreated Fri Oct 25Updated Fri Oct 17baecf8fb-edbf-429f-9ade-31fc3f22b970windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic7 selectors
detection:
selection_office_root:
TargetObject|contains:
- '\Software\Wow6432Node\Microsoft\Office'
- '\Software\Microsoft\Office'
selection_office_details:
TargetObject|contains:
- '\Word\Addins'
- '\PowerPoint\Addins'
- '\Outlook\Addins'
- '\Onenote\Addins'
- '\Excel\Addins'
- '\Access\Addins'
- 'test\Special\Perf'
filter_main_empty:
Details: '(Empty)'
filter_main_known_addins:
Image|startswith:
- 'C:\Program Files\Microsoft Office\'
- 'C:\Program Files (x86)\Microsoft Office\'
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
TargetObject|contains:
# Remove any unused addins in your environment from the filter
# Known addins for excel
- '\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\'
- '\Excel\Addins\ExcelPlugInShell.PowerMapConnect\'
- '\Excel\Addins\NativeShim\'
- '\Excel\Addins\NativeShim.InquireConnector.1\'
- '\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\'
# Known addins for outlook
- '\Outlook\AddIns\AccessAddin.DC\'
- '\Outlook\AddIns\ColleagueImport.ColleagueImportAddin\'
- '\Outlook\AddIns\EvernoteCC.EvernoteContactConnector\'
- '\Outlook\AddIns\EvernoteOLRD.Connect\'
# - '\Outlook\Addins\GrammarlyAddIn.Connect' # Uncomment if you use Grammarly
- '\Outlook\Addins\Microsoft.VbaAddinForOutlook.1\'
- '\Outlook\Addins\OcOffice.OcForms\'
- '\Outlook\Addins\\OneNote.OutlookAddin'
- '\Outlook\Addins\OscAddin.Connect\'
- '\Outlook\Addins\OutlookChangeNotifier.Connect\'
- '\Outlook\Addins\UCAddin.LyncAddin.1'
- '\Outlook\Addins\UCAddin.UCAddin.1'
- '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
- 'AddinTakeNotesService\FriendlyName'
filter_main_officeclicktorun:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
Image|endswith: '\OfficeClickToRun.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files\AVG\Antivirus\x86\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files\Avast Software\Avast\x86\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
condition: all of selection_office_* and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason
Legitimate administrator sets up autorun keys for legitimate reason
MITRE ATT&CK
Related Rules
Similar
Rule not found17f878b8-9968-4578-b814-c4217fc5768c
Rule Metadata
Rule ID
baecf8fb-edbf-429f-9ade-31fc3f22b970
Status
test
Level
medium
Type
Detection
Created
Fri Oct 25
Modified
Fri Oct 17
Author
Path
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1547.001