From fa3b5ed33c312be6e8d3d0ce1444b227f4feb6bd Mon Sep 17 00:00:00 2001
From: SILJAEUROPA <michaeldylanmckinley@gmail.com>
Date: Mon, 9 Oct 2023 03:05:57 -0400
Subject: [PATCH] added addinutil lolbas binary (#335)

* added addinutil lolbas binary

* updated format for lint

* EOF LF
---
 yml/OSBinaries/Addinutil.yml | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 yml/OSBinaries/Addinutil.yml

diff --git a/yml/OSBinaries/Addinutil.yml b/yml/OSBinaries/Addinutil.yml
new file mode 100644
index 0000000..8ccece5
--- /dev/null
+++ b/yml/OSBinaries/Addinutil.yml
@@ -0,0 +1,30 @@
+---
+Name: AddinUtil.exe
+Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins.
+Author: 'Michael McKinley @MckinleyMike'
+Created: 2023-10-05
+Commands:
+  - Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe -AddinRoot:.
+    Description: AddinUtil is executed from the directory where the 'Addins.Store' payload exists, AddinUtil will execute the 'Addins.Store' payload.
+    Usecase: Proxy execution of malicious serliaized payload
+    Category: Execute
+    Privileges: User
+    MitreID: T1218
+    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
+Full_Path:
+  - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
+  - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe
+Code_Sample:
+  - Code: https://gist.github.com/SILJAEUROPA/a850d476179d73df230a876944e9f3b1#file-addins-store
+Detection:
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml
+Resources:
+  - Link: https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html
+Acknowledgement:
+  - Person: Michael McKinley
+    Handle: '@MckinleyMike'
+  - Person: Tony Latteri
+    Handle: '@TheLatteri'