Suspicious Office Add-ins Creation

Rule Info

Name
Suspicious Office Add-ins Creation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the creation of Office add-ins by processes other than Microsoft Office applications, which might indicate malicious activity. Threat actors often use these malicious add-ins to gain initial access, typically delivered through phishing emails with malicious Office documents.
Reference
https://www.seqrite.com/blog/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government/
Date
2025-05-05 00:00:00
Modified
None
Id
aaad0d74-778b-49a1-a435-e48cec146580
Tags
attack.persistence attack.t1137.006 attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022