Uncommon Child Process Of AddinUtil.EXE

Hunt Hypothesis

Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store pay

Detection Rule

Sigma (Original)

title: Uncommon Child Process Of AddinUtil.EXE
id: b5746143-59d6-4603-8d06-acbd60e166ee
status: test
description: |
    Detects uncommon child processes of the Add-In deployment cache updating utility (AddInutil.exe) which could be a sign of potential abuse of the binary to proxy execution via a custom Addins.Store payload.
references:
    - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri)
date: 2023-09-18
tags:
    - attack.stealth
    - attack.t1218
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\addinutil.exe'
    filter_main_werfault:
        Image|endswith:
            - ':\Windows\System32\conhost.exe'
            - ':\Windows\System32\werfault.exe'
            - ':\Windows\SysWOW64\werfault.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Unknown
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\addinutil.exe" or ActingProcessName endswith "\\addinutil.exe") and (not((TargetProcessName endswith ":\\Windows\\System32\\conhost.exe" or TargetProcessName endswith ":\\Windows\\System32\\werfault.exe" or TargetProcessName endswith ":\\Windows\\SysWOW64\\werfault.exe")))

Required Data Sources

False Positive Guidance

• Unknown

MITRE ATT&CK Context

• Technique: T1218 — T1218

References

• https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
• SigmaHQ Rule