mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 23:05:58 +02:00 
			
		
		
		
	added addinutil lolbas binary (#335)
* added addinutil lolbas binary * updated format for lint * EOF LF
This commit is contained in:
		
							
								
								
									
										30
									
								
								yml/OSBinaries/Addinutil.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										30
									
								
								yml/OSBinaries/Addinutil.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,30 @@ | ||||
| --- | ||||
| Name: AddinUtil.exe | ||||
| Description: .NET Tool used for updating cache files for Microsoft Office Add-Ins. | ||||
| Author: 'Michael McKinley @MckinleyMike' | ||||
| Created: 2023-10-05 | ||||
| Commands: | ||||
|   - Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe -AddinRoot:. | ||||
|     Description: AddinUtil is executed from the directory where the 'Addins.Store' payload exists, AddinUtil will execute the 'Addins.Store' payload. | ||||
|     Usecase: Proxy execution of malicious serliaized payload | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 | ||||
| Full_Path: | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe | ||||
|   - Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe | ||||
| Code_Sample: | ||||
|   - Code: https://gist.github.com/SILJAEUROPA/a850d476179d73df230a876944e9f3b1#file-addins-store | ||||
| Detection: | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml | ||||
|   - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml | ||||
| Resources: | ||||
|   - Link: https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html | ||||
| Acknowledgement: | ||||
|   - Person: Michael McKinley | ||||
|     Handle: '@MckinleyMike' | ||||
|   - Person: Tony Latteri | ||||
|     Handle: '@TheLatteri' | ||||
		Reference in New Issue
	
	Block a user