Suspicious AddinUtil.EXE CommandLine Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Suspicious AddinUtil.EXE CommandLine Execution | Standard | Windows | Defense Evasion: System Binary Proxy Execution (T1218) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Add-in Utility is a Microsoft utility used to add and manage software add-ins on Windows systems, predominantly for Office applications. Attackers exploit this utility to execute add-ins from suspicious AddinRoot and PipelineRoot paths. The AddinRoot is the directory where add-ins are stored, and the PipelineRoot is the folder containing the executable steps of an application. By running AddinUtil.exe from suspicious AddinRoot or PipelineRoot path where the payload is stored, attackers can execute malicious payloads. This rule detects such suspicious AddinUtil.exe executions from suspicious locations.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Execution → Defense Evasion → Impact
Impact
- Malware execution
- Defense evasion
- Persistence
Rule Requirement
Prerequisites
- Windows Event Viewer
Logon to Group Policy Management Console with administrative privileges and enable auditing for process creation and termination events. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".
- Sysmon
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".
((((( PROCESSNAME ENDS_WITH ""\\addinutil.exe"" ) ) OR ((ORIGINALFILENAME = ""addinutil.exe"" )))) AND ((((( COMMANDLINE CONTAINS ""-addinroot:"" ) OR ( COMMANDLINE CONTAINS ""-pipelineroot:"" ) )) AND ((( COMMANDLINE CONTAINS ""\\appdata\\local\\temp\\"" ) OR ( COMMANDLINE CONTAINS ""\\desktop\\"" ) OR ( COMMANDLINE CONTAINS ""\\downloads\\"" ) OR ( COMMANDLINE CONTAINS ""\\users\\public\\"" ) OR ( COMMANDLINE CONTAINS ""\\windows\\temp\\"" ) ))) OR (((( CWD CONTAINS ""\\appdata\\local\\temp\\"" ) OR ( CWD CONTAINS ""\\desktop\\"" ) OR ( CWD CONTAINS ""\\downloads\\"" ) OR ( CWD CONTAINS ""\\users\\public\\"" ) OR ( CWD CONTAINS ""\\windows\\temp\\"" ) ) AND (( COMMANDLINE CONTAINS ""-addinroot:."" ) OR ( COMMANDLINE CONTAINS ""-addinroot:\"".\"""" ) OR ( COMMANDLINE CONTAINS ""-pipelineroot:."" ) OR ( COMMANDLINE CONTAINS ""-pipelineroot:\"".\"""" ) )))))
This rule is triggered when the executed process is associated with the following suspicious elements:
- \\addinutil.exe or addinutil.exe: Refers to the process or file associated with the Add-in Utility.
- -addinroot: A directory where add-ins are stored.
- -pipelineroot: A folder where scripts, configurations, and executable steps of an application are stored.
- \\appdata\\local\\temp\\: Refers to the user's Temp folder, a less suspicious location used to execute malware files.
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\addinutil.exe" OR ORIGINALFILENAME = "AddInUtil.exe") AND ((COMMANDLINE contains "-AddInRoot:,-PipelineRoot:" AND COMMANDLINE contains "\AppData\Local\Temp\,\Desktop\,\Downloads\,\Users\Public\,\Windows\Temp") OR (COMMANDLINE contains "-AddInRoot:.,-AddInRoot:".",-PipelineRoot:.,-PipelineRoot:"."" AND CWD contains "\AppData\Local\Temp\,\Desktop\,\Downloads\,\Users\Public\,\Windows\Temp")) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: System Binary Proxy Execution (T1218)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.
When this rule is triggered, you're notified of the execution of AddinUtil.exe. This enables you to identify suspicious add-in executions originating from malicious AddinRoot and PipelineRoot paths, as well as detect attempts by malware to evade detection.
Author
Nasreddine Bencherchali (Nextron Systems), Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
Future actions
Known False Positives
This rule might be triggered when legitimate script executions involving Add-in Utility are run from uncommon folders.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit Add-in executions: Continuously monitor Add-in executions and the AddinRoot/PipelineRoot path for suspicious activities and flag Add-in Utility processes running from less suspicious folders.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1042 | Disable native binaries when not required. | |
M1038 | Restrict the execution of binaries that are prone to exploitation. | |
M1050 | Block attempts to bypass application control using trusted binaries Attack Surface Reduction tools. | |
M1037 | Deploy traffic filtering and screening tools for software on endpoints. | |
M1026 | Restrict permissions to execute binaries to privileged users and groups only. | |
M1021 | Blocklist malicious websites and Javascript browser extensions. |
