.. /AddinUtil.exe
Star

Execute

.NET Tool used for updating cache files for Microsoft Office Add-Ins.

Paths:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

Resources:

https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

Acknowledgements:

Michael McKinley (@MckinleyMike)
Tony Latteri (@TheLatteri)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_suspicious_cmdline.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_child_process.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_cmdline.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_addinutil_uncommon_dir_exec.yml

Execute

AddinUtil is executed from the directory where the 'Addins.Store' payload exists, AddinUtil will execute the 'Addins.Store' payload.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe -AddinRoot:.

Usecase: Proxy execution of malicious serliaized payload
Privileges required: User
OS: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
MITRE ATT&CK®: T1218

.. /AddinUtil.exe Star

Execute

.. /AddinUtil.exe
Star