Add Office Add-ins rules. (#781)

* Add Office Add-ins rules.
mandiant · Jul 5, 2023 · 415b40b · 415b40b
1 parent 6b449aa
commit 415b40b
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 0 deletions.
diff --git a/persistence/office/act-as-excel-xll-add-in.yml b/persistence/office/act-as-excel-xll-add-in.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: act as Excel XLL add-in
+    namespace: persistence/office
+    authors:
+      - [email protected]
+    scope: file
+    att&ck:
+      - Persistence::Office Application Startup::Add-ins [T1137.006]
+    references:
+      - https://learn.microsoft.com/en-us/office/client-developer/excel/xlautoopen
+    examples:
+      - c29513e5a51dd24ca840f7628b872cba921976cba89dcbffd5028ba15481108c
+  features:
+    - or:
+      - export: xlAutoOpen
diff --git a/persistence/office/act-as-office-com-add-in.yml b/persistence/office/act-as-office-com-add-in.yml
@@ -0,0 +1,25 @@
+rule:
+  meta:
+    name: act as Office COM add-in
+    namespace: persistence/office
+    authors:
+      - [email protected]
+    scope: file
+    att&ck:
+      - Persistence::Office Application Startup::Add-ins [T1137.006]
+    references:
+      - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
+      - https://learn.microsoft.com/en-us/dotnet/api/extensibility.idtextensibility2?view=visualstudiosdk-2022
+    examples:
+      - 0831bb382211a67c57a392955138808526aa15e55531091841706aae2cb89613
+  features:
+    - and:
+      - format: dotnet
+      - class: Extensibility.IDTExtensibility2
+      - or:
+        - string: "OnAddInsUpdate"
+        - string: "OnAddInsUpdate"
+        - string: "OnBeginShutdown"
+        - string: "OnConnection"
+        - string: "OnDisconnection"
+        - string: "OnStartupComplete"
diff --git a/persistence/office/act-as-word-wll-add-in.yml b/persistence/office/act-as-word-wll-add-in.yml
@@ -0,0 +1,16 @@
+rule:
+  meta:
+    name: act as Word WLL add-in
+    namespace: persistence/office
+    authors:
+      - [email protected]
+    scope: file
+    att&ck:
+      - Persistence::Office Application Startup::Add-ins [T1137.006]
+    references:
+      - https://www.ired.team/offensive-security/persistence/word-library-add-ins
+    examples:
+      - 03bb32d43885e83bc56c0b2bcad6f0c5ea40402763b7057056c654990022471b
+  features:
+    - or:
+      - export: wdAutoOpen