Adversaries may load malicious Excel Add-Ins from uncommon locations to execute arbitrary code or exfiltrate data undetected. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of Excel workstations and prevent lateral movement or data theft.
Detection Rule
title: Microsoft Excel Add-In Loaded From Uncommon Location
id: af4c4609-5755-42fe-8075-4effb49f5d44
related:
- id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
type: derived
status: test
description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
references:
- https://www.mandiant.com/resources/blog/lnk-between-browsers
- https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-12
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\excel.exe'
ImageLoaded|contains:
# Note: Add or remove locations from this list based on your internal policy
- '\Desktop\'
- '\Downloads\'
- '\Perflogs\'
- '\Temp\'
- '\Users\Public\'
- '\Windows\Tasks\'
ImageLoaded|endswith: '.xll'
condition: selection
falsepositives:
- Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
level: medium
DeviceImageLoadEvents
| where InitiatingProcessFolderPath endswith "\\excel.exe" and (FolderPath contains "\\Desktop\\" or FolderPath contains "\\Downloads\\" or FolderPath contains "\\Perflogs\\" or FolderPath contains "\\Temp\\" or FolderPath contains "\\Users\\Public\\" or FolderPath contains "\\Windows\\Tasks\\") and FolderPath endswith ".xll"Scenario: A system administrator is deploying a custom Excel Add-In using a script during a scheduled maintenance window.
Filter/Exclusion: Exclude processes launched by schtasks.exe or with the command line containing /C or /SC for scheduled tasks.
Scenario: A developer is testing a new Excel Add-In locally, and the file is temporarily placed in a non-standard directory for debugging purposes.
Filter/Exclusion: Exclude processes with the command line containing --debug or --test, or where the user is a developer with known testing directories.
Scenario: A third-party application (e.g., Microsoft Power BI or Alteryx) uses an Excel Add-In located in a non-standard directory as part of its integration.
Filter/Exclusion: Exclude processes with parent process names like PowerBI.exe, Alteryx.exe, or ExcelAddIn.exe.
Scenario: A backup or synchronization tool (e.g., Veeam, SyncBack, or Robocopy) moves an Excel Add-In file to a temporary directory during a sync operation.
Filter/Exclusion: Exclude processes with parent process names like Veeam.exe, SyncBack.exe, or command lines containing robocopy or rsync.
Scenario: An enterprise security tool (e.g., CrowdStrike, SentinelOne, or Microsoft Defender ATP) loads a custom Excel Add-In for monitoring or analysis purposes.
Filter/Exclusion: Exclude processes with parent process names like CrowdStrike.exe, SentinelOne.exe, or MsDefenderATP.exe.