Suspicious Office Add-ins Execution

Rule Info

Name
Suspicious Office Add-ins Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of office add-ins from suspicious locations or suspicious parent. The office add-on can be abused for persistence and execution of malicious code. Threat actors often use these malicious add-ins to gain initial access, typically delivered through phishing emails with malicious Office documents.
Reference
https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/
Date
2025-05-05 00:00:00
Modified
None
Id
2d791965-eafa-4b7b-a638-9dc04aa33989
Tags
attack.persistence attack.t1137.006 attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022