Active Directory Parsing DLL Loaded Via Office Application
Detects DSParse DLL being loaded by an Office Product
Sigma rule (View on GitHub)
1title: Active Directory Parsing DLL Loaded Via Office Application
2id: a2a3b925-7bb0-433b-b508-db9003263cc4
3status: test
4description: Detects DSParse DLL being loaded by an Office Product
5references:
6 - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
7author: Antonlovesdnb
8date: 2020/02/19
9modified: 2023/03/28
10tags:
11 - attack.execution
12 - attack.t1204.002
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith:
19 - '\excel.exe'
20 - '\mspub.exe'
21 - '\onenote.exe'
22 - '\onenoteim.exe' # Just in case
23 - '\outlook.exe'
24 - '\powerpnt.exe'
25 - '\winword.exe'
26 ImageLoaded|contains: '\dsparse.dll'
27 condition: selection
28falsepositives:
29 - Unknown
30level: medium
References
-
While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…
Read More
Related rules
- Active Directory Kerberos DLL Loaded Via Office Application
- CLR DLL Loaded Via Office Applications
- DotNET Assembly DLL Loaded Via Office Application
- GAC DLL Loaded Via Office Applications
- VBA DLL Loaded Via Office Application