DotNET Assembly DLL Loaded Via Office Application
Detects any assembly DLL being loaded by an Office Product
Sigma rule (View on GitHub)
1title: DotNET Assembly DLL Loaded Via Office Application
2id: ff0f2b05-09db-4095-b96d-1b75ca24894a
3status: test
4description: Detects any assembly DLL being loaded by an Office Product
5references:
6 - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
7author: Antonlovesdnb
8date: 2020-02-19
9modified: 2023-03-29
10tags:
11 - attack.execution
12 - attack.t1204.002
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith:
19 - '\excel.exe'
20 - '\mspub.exe'
21 - '\onenote.exe'
22 - '\onenoteim.exe' # Just in case
23 - '\outlook.exe'
24 - '\powerpnt.exe'
25 - '\winword.exe'
26 ImageLoaded|startswith: 'C:\Windows\assembly\'
27 condition: selection
28falsepositives:
29 - Unknown
30level: medium
References
Related rules
- Active Directory Kerberos DLL Loaded Via Office Application
- Active Directory Parsing DLL Loaded Via Office Application
- CLR DLL Loaded Via Office Applications
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist