EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Potential Persistence Via Visual Studio Tools for Office

Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.

MITRE ATT&CK

T1137.006
persistence

Detection Query

selection:
  TargetObject|contains:
    - \Software\Microsoft\Office\Outlook\Addins\
    - \Software\Microsoft\Office\Word\Addins\
    - \Software\Microsoft\Office\Excel\Addins\
    - \Software\Microsoft\Office\Powerpoint\Addins\
    - \Software\Microsoft\VSTO\Security\Inclusion\
filter_main_system:
  Image:
    - C:\Windows\System32\msiexec.exe
    - C:\Windows\SysWOW64\msiexec.exe
    - C:\Windows\System32\regsvr32.exe
    - C:\Windows\SysWOW64\regsvr32.exe
filter_main_office_click_to_run:
  Image|startswith:
    - C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\
    - C:\Program Files\Common Files\Microsoft Shared\ClickToRun\
  Image|endswith: \OfficeClickToRun.exe
filter_main_integrator:
  Image:
    - C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe
    - C:\Program Files\Microsoft Office\root\integration\integrator.exe
filter_main_office_apps:
  Image|startswith:
    - C:\Program Files\Microsoft Office\OFFICE
    - C:\Program Files (x86)\Microsoft Office\OFFICE
    - C:\Program Files\Microsoft Office\Root\OFFICE
    - C:\Program Files (x86)\Microsoft Office\Root\OFFICE
  Image|endswith:
    - \excel.exe
    - \Integrator.exe
    - \outlook.exe
    - \powerpnt.exe
    - \Teams.exe
    - \visio.exe
    - \winword.exe
filter_optional_avg:
  Image:
    - C:\Program Files\AVG\Antivirus\RegSvr.exe
    - C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe
  TargetObject|contains: \Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\
filter_optional_avast:
  Image:
    - C:\Program Files\Avast Software\Avast\RegSvr.exe
    - C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe
  TargetObject|contains: \Microsoft\Office\Outlook\Addins\Avast.AsOutExt\
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Bhabesh Raj

Created

2021-01-10

Data Sources

windowsRegistry Set Events

Platforms

windows

References

Tags

attack.t1137.006attack.persistence
Raw Content
title: Potential Persistence Via Visual Studio Tools for Office
id: 9d15044a-7cfe-4d23-8085-6ebc11df7685
status: test
description: Detects persistence via Visual Studio Tools for Office (VSTO) add-ins in Office applications.
references:
    - https://twitter.com/_vivami/status/1347925307643355138
    - https://vanmieghem.io/stealth-outlook-persistence/
author: Bhabesh Raj
date: 2021-01-10
modified: 2025-10-07
tags:
    - attack.t1137.006
    - attack.persistence
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains:
            - '\Software\Microsoft\Office\Outlook\Addins\'
            - '\Software\Microsoft\Office\Word\Addins\'
            - '\Software\Microsoft\Office\Excel\Addins\'
            - '\Software\Microsoft\Office\Powerpoint\Addins\'
            - '\Software\Microsoft\VSTO\Security\Inclusion\'
    filter_main_system:
        Image:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
            - 'C:\Windows\System32\regsvr32.exe'
            - 'C:\Windows\SysWOW64\regsvr32.exe' # e.g. default Evernote installation
    filter_main_office_click_to_run:
        Image|startswith:
            - 'C:\Program Files\Common Files (x86)\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
        Image|endswith: '\OfficeClickToRun.exe'
    filter_main_integrator:
        Image:
            - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
            - 'C:\Program Files\Microsoft Office\root\integration\integrator.exe'
    filter_main_office_apps:
        Image|startswith:
            - 'C:\Program Files\Microsoft Office\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
            - 'C:\Program Files\Microsoft Office\Root\OFFICE'
            - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
        Image|endswith:
            - '\excel.exe'
            - '\Integrator.exe'
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\Teams.exe'
            - '\visio.exe'
            - '\winword.exe'
    filter_optional_avg:
        Image:
            - 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
            - 'C:\Program Files (x86)\AVG\Antivirus\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    filter_optional_avast:
        Image:
            - 'C:\Program Files\Avast Software\Avast\RegSvr.exe'
            - 'C:\Program Files (x86)\Avast Software\Avast\RegSvr.exe'
        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Avast.AsOutExt\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Legitimate Addin Installation
level: medium