Uncommon Child Process Of AddinUtil.EXE

Rule Info

Name
Uncommon Child Process Of AddinUtil.EXE
Author
Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
Description
Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
Reference
https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
Date
2023-09-18 00:00:00
Modified
None
Id
b5746143-59d6-4603-8d06-acbd60e166ee
Tags
attack.defense-evasion attack.t1218
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=b5746143-59d6-4603-8d06-acbd60e166ee

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4942 from @nasbench - promote older rules status from experimental to test
2024-08-01
6b7814466
SILJAEUROPA
Merge PR #4452 from @SILJAEUROPA - Add New Rules To AddInUtil Potential Abuse
2023-10-05
a7fc610b7
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022