Suspicious Execution via Microsoft Office Add-Insedit

Identifies execution of common Microsoft Office applications to launch an Office Add-In from a suspicious path or with an unusual parent process. This may indicate an attempt to get initial access via a malicious phishing MS Office Add-In.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*
  • endgame-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Domain: Endpoint
  • OS: Windows
  • Use Case: Threat Detection
  • Tactic: Initial Access
  • Tactic: Persistence
  • Data Source: Elastic Endgame
  • Data Source: Elastic Defend

Version: 3

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

process where

    host.os.type == "windows" and event.type == "start" and : ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSACCESS.EXE", "VSTOInstaller.exe") and

    process.args regex~ """.+\.(wll|xll|ppa|ppam|xla|xlam|vsto)""" and

    /* Office Add-In from suspicious paths */
    (process.args :
              "http*") or : ("explorer.exe", "OpenWith.exe") or

    /* Office Add-In from suspicious parent */ : ("cmd.exe", "powershell.exe")) and

    /* False Positives */
    not (process.args : "*.vsto" and
         process.parent.executable :
                   ("?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility*.exe",
                    "?:\\Program Files\\Logitech\\LogiOptions\\PlugInInstallerUtility.exe",
                    "?:\\Program Files\\LogiOptionsPlus\\PlugInInstallerUtility*.exe",
                    "?:\\Program Files\\Common Files\\microsoft shared\\VSTO\\*\\VSTOInstaller.exe")) and
    not (process.args : "/Uninstall" and : "VSTOInstaller.exe") and
    not ( : "rundll32.exe" and
         process.parent.args : "?:\\WINDOWS\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc") and
    not ( : "VSTOInstaller.exe" and process.args : "")