Sigma rule to detect Office persistence via addin.

rules/windows/sysmon/sysmon_office_persistence.yml

@@ -0,0 +1,32 @@
+title: Microsoft Office Add-In Loading
+id: 8e1cb247-6cf6-42fa-b440-3f27d57e9936
+status: experimental
+description: Detects add-ins that load when Microsoft Word or Excel starts (.wll/.xll are simply .dll fit for Word or Excel).
+references:
+  - Internal research
+tags:
+  - attack.persistence
+  - attack.t1137
+author: NVISO
+date: 2020/05/11
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID: 11 #FileCreate
+  wlldropped:
+    TargetFilename|contains: \Microsoft\Word\Startup\
+    TargetFilename|endswith: .wll
+  xlldropped:
+    TargetFilename|contains: \Microsoft\Excel\Startup\
+    TargetFilename|endswith: .xll
+  generic:
+    TargetFilename|contains: \Microsoft\Addins\
+    TargetFilename|endswith:
+      - .xlam
+      - .xla
+condition: selection and (wlldropped or xlldropped or generic)
+falsepositives:
+  - Legitimate add-ins
+level: high