CLR DLL Loaded Via Office Applications
Detects CLR DLL being loaded by an Office Product
Sigma rule (View on GitHub)
1title: CLR DLL Loaded Via Office Applications
2id: d13c43f0-f66b-4279-8b2c-5912077c1780
3status: test
4description: Detects CLR DLL being loaded by an Office Product
5references:
6 - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
7author: Antonlovesdnb
8date: 2020-02-19
9modified: 2023-03-29
10tags:
11 - attack.execution
12 - attack.t1204.002
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith:
19 - '\excel.exe'
20 - '\mspub.exe'
21 - '\outlook.exe'
22 - '\onenote.exe'
23 - '\onenoteim.exe' # Just in case
24 - '\powerpnt.exe'
25 - '\winword.exe'
26 ImageLoaded|contains: '\clr.dll'
27 condition: selection
28falsepositives:
29 - Unknown
30level: medium
References
-
While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…
Read More
Related rules
- Active Directory Kerberos DLL Loaded Via Office Application
- Active Directory Parsing DLL Loaded Via Office Application
- DotNET Assembly DLL Loaded Via Office Application
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist