AddinUtil.exe

.NET Tool used for updating cache files for Microsoft Office Add-Ins.

Paths

• C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
• C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe
• C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe
• C:\Windows\Microsoft.NET\Framework64\v3.5\AddInUtil.exe

Commands

Execute

AddinUtil is executed from the directory where the 'Addins.Store' payload exists, AddinUtil will execute the 'Addins.Store' payload.

Use case: Proxy execution of malicious serialized payload

Privileges: User

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe -AddinRoot:.

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml
• Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml

Resources

• https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html