Suspicious AddinUtil.EXE CommandLine Execution (631b22a4-70f4-4e2f-9ea8-42f84d9df6d8)
Detects execution of the Add-In deployment cache updating utility (AddInutil.exe) with suspicious Addinroot or Pipelineroot paths. An adversary may execute AddinUtil.exe with uncommon Addinroot/Pipelineroot paths that point to the adversaries Addins.Store payload.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) | Attack Pattern | Suspicious AddinUtil.EXE CommandLine Execution (631b22a4-70f4-4e2f-9ea8-42f84d9df6d8) | Sigma-Rules | 1 |