Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
- https://twitter.com/_vivami/status/1347925307643355138
- https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2026-01-09
tags:
- attack.t1137.006
- attack.persistence
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains:
- '\Software\Microsoft\Office\Outlook\Addins\'
- '\Software\Microsoft\Office\Word\Addins\'
- '\Software\Microsoft\Office\Excel\Addins\'
- '\Software\Microsoft\Office\Powerpoint\Addins\'
- '\Software\Microsoft\VSTO\Security\Inclusion\'
filter_main_system:
Image:
- 'C:\Windows\System32\msiexec.exe'
- 'C:\Windows\SysWOW64\msiexec.exe'
- 'C:\Windows\System32\regsvr32.exe'
- 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
filter_main_office_click_to_run:
Image|startswith:
- 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
- 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_main_integrator:
Image:
- 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
- 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
filter_main_office_apps:
Image|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
- 'C:\PROGRA~2\MICROS~2\Office'
Image|endswith:
- '\excel.exe'
- '\Integrator.exe'
- '\OneNote.exe'
- '\outlook.exe'
- '\powerpnt.exe'
- '\Teams.exe'
- '\visio.exe'
- '\winword.exe'
filter_main_vsto:
Image|startswith:
- 'C:\Program Files\Common Files\Microsoft Shared\VSTO\'
- 'C:\Program Files (x86)\Microsoft Shared\VSTO\'
Image|endswith: '\VSTOInstaller.exe'
filter_optional_avg:
Image:
- 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
- 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate Addin Installation
level: medium
imRegistry
| where (RegistryKey endswith "\\Software\\Microsoft\\Office\\Outlook\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Word\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Excel\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\Office\\Powerpoint\\Addins*" or RegistryKey endswith "\\Software\\Microsoft\\VSTO\\Security\\Inclusion*") and (not(((ActingProcessName in~ ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Windows\\System32\\regsvr32.exe", "C:\\Windows\\SysWOW64\\regsvr32.exe")) or ((ActingProcessName startswith "C:\\Program Files\\Common Files (x86)\\Microsoft Shared\\ClickToRun\\" or ActingProcessName startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\") and ActingProcessName endswith "\\OfficeClickToRun.exe") or (ActingProcessName in~ ("C:\\Program Files (x86)\\Microsoft Office\\root\\integration\\integrator.exe", "C:\\Program Files\\Microsoft Office\\root\\integration\\integrator.exe")) or ((ActingProcessName startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or ActingProcessName startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or ActingProcessName startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or ActingProcessName startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE" or ActingProcessName startswith "C:\\PROGRA~2\\MICROS~2\\Office") and (ActingProcessName endswith "\\excel.exe" or ActingProcessName endswith "\\Integrator.exe" or ActingProcessName endswith "\\OneNote.exe" or ActingProcessName endswith "\\outlook.exe" or ActingProcessName endswith "\\powerpnt.exe" or ActingProcessName endswith "\\Teams.exe" or ActingProcessName endswith "\\visio.exe" or ActingProcessName endswith "\\winword.exe")) or ((ActingProcessName startswith "C:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\" or ActingProcessName startswith "C:\\Program Files (x86)\\Microsoft Shared\\VSTO\\") and ActingProcessName endswith "\\VSTOInstaller.exe")))) and (not((((ActingProcessName in~ ("C:\\Program Files\\AVG\\Antivirus\\RegSvr.exe", "C:\\Program Files (x86)\\AVG\\Antivirus\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Antivirus.AsOutExt*") or ((ActingProcessName in~ ("C:\\Program Files\\Avast Software\\Avast\\RegSvr.exe", "C:\\Program Files (x86)\\Avast Software\\Avast\\RegSvr.exe")) and RegistryKey endswith "\\Microsoft\\Office\\Outlook\\Addins\\Avast.AsOutExt*"))))| Sentinel Table | Notes |
|---|---|
imRegistry | Ensure this data connector is enabled |