GAC DLL Loaded Via Office Applications
Detects any GAC DLL being loaded by an Office Product
Sigma rule (View on GitHub)
1title: GAC DLL Loaded Via Office Applications
2id: 90217a70-13fc-48e4-b3db-0d836c5824ac
3status: test
4description: Detects any GAC DLL being loaded by an Office Product
5references:
6 - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
7author: Antonlovesdnb
8date: 2020/02/19
9modified: 2023/02/10
10tags:
11 - attack.execution
12 - attack.t1204.002
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith:
19 - '\excel.exe'
20 - '\mspub.exe'
21 - '\onenote.exe'
22 - '\onenoteim.exe' # Just in case
23 - '\outlook.exe'
24 - '\powerpnt.exe'
25 - '\winword.exe'
26 ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
27 condition: selection
28falsepositives:
29 - Legitimate macro usage. Add the appropriate filter according to your environment
30level: high
References
-
While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…
Read More
Related rules
- VBA DLL Loaded Via Office Application
- Flash Player Update from Suspicious Location
- Suspicious User-Initiated Process Execution on External Drive (Old)
- Suspicious User-Initiated Process Execution on External Drive (Sysmon)
- File Was Not Allowed To Run