.. /AddinUtil.exe
Star

.NET Tool used for updating cache files for Microsoft Office Add-Ins.

Paths:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddinUtil.exe

Resources:

https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html

Acknowledgements:

Michael McKinley (@MckinleyMike)
Tony Latteri (@TheLatteri)

Detection:

Execute

AddinUtil is executed from the directory where the 'Addins.Store' payload exists, AddinUtil will execute the 'Addins.Store' payload.
```
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddinUtil.exe -AddinRoot:.
```
Use case
Proxy execution of malicious serialized payload

Privileges required
User

Operating systems
Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218