Network Connection Initiated By AddinUtil.EXE
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Network Connection Initiated By AddinUtil.EXE | Standard | Windows | Defense Evasion: System Binary Proxy Execution (T1218) | Trouble |
About the rule
Rule Type
Standard
Rule Description
AddinUtil.EXE is a legitimate Windows process related to Microsoft Office utility to manage its add-ins and extensions. Typically, in any circumstances, it doesn't trigger any outbound network connection. However, if AddinUtil.exe observed to trigger network connection then it indicates as a unusual behavior or malicious activity. Adversaries could exploit this process to masquerade as legitimate Microsoft Office behavior and persist in the network.
Severity
Trouble
Rule journey
Attack chain scenario
Initial access → Execution of Power-shell script → Persistence as Office application add-in → Command and control → Impact
Impact
- Defense evasion by signed binary proxy execution
- HTTP request to the attacker's C2 hosting DNS.
- Exploiting RDP for lateral movement and collects sensitive data
- Data exfiltration
Rule Requirement
Prerequisites
- Download and install Sysmon from Microsoft Sysinternals. Then, open a Command prompt with administrator privileges and create a Sysmon configuration which monitors the network connection using -
sysmon.exe -i [configfile.xml].
- Add network connection events to monitor in your configuration file using -
<Sysmon>
<EventFiltering>
<NetworkConnect onmatch="exclude"/>
<!-- This captures all network connection events -->
</EventFiltering>
</Sysmon>
- Create a new registry key "Microsoft-Windows-Sysmon/Network" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
- Allocate the registry value of Max Size to 200MB to ensure adequate storage for network logs, as they tend to be high volume.
Criteria
Action1: actionname = "sa_network_connection" AND IS_INITIATED = "true" AND PROCESSNAME endswith "\addinutil.exe" select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.PROCESSNAME,Action1.DESTINATIONHOST,Action1.DESTINATION_IPV6,Action1.DEST_IP,Action1.SOURCEHOST,Action1.SOURCE_IP,Action1.SOURCE_IPV6
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: System Binary Proxy Execution (T1218)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.AE-02: Potentially adverse events are analyzed to better understand associated activities
Whenever AddinUtil.exe process triggers and tries to establish a network connection then the process has has to be detected and alerted. This enables the security administrators to analyze the potentiality of the event whether it is a legitimate or malign process.
Author
Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
Future actions
Known False Positives
A few legitimate scenarios where AddinUtil.exe may initiate a network connection such as during a software update, while installing trusted extensions, or as part of a .NET application deployment process.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify the event and check if the flagged incident is new or the existing one.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and kill or terminate the malicious process.
- Reconfiguration: Update the network policies and port configurations and continuously monitor traffic trends in the network.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1042 | Disable or Remove Feature or Program is mitigation technique involves the identification of the software (including native binaries) or features that are no longer needed or could exploit by adversaries, and then disabling or removing them from the system environment. | |
M1038 | Prevention of the unauthorized native binary codes which are abusive or malign in a system. It can be achieved by application control, script blocking, and other execution methods. | |
M1050 | Deploying the Microsoft's Enhanced Mitigation Experience Toolkit (EMET) and Attack Surface Reduction (ASR) to detect, block and mitigate the native binary or software exploits. | |
M1037 | This technique enforces the usage of network applications to filter ingress, egress and lateral network traffic. Protocol-based filtering, enforcing firewall rules and applying predefined conditions help restrict adversary movement and limit unauthorized access across systems. | |
M1026 | Restricting access, limiting the scope of permissions, monitoring privileged account usage by implementing policies, controls, and tools to manage privileged accounts securely. Also, ensuring the restriction of execution of vulnerable binaries to access privileged accounts. | |
M1021 | Restrict web-based content by enforcing policies or tools that limit access to malicious sites, applications, browsers extensions, etc,. |
