Microsoft Excel Add-In Loaded From Uncommon Location
Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
Sigma rule (View on GitHub)
1title: Microsoft Excel Add-In Loaded From Uncommon Location
2id: af4c4609-5755-42fe-8075-4effb49f5d44
3related:
4 - id: c5f4b5cb-4c25-4249-ba91-aa03626e3185
5 type: derived
6status: test
7description: Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location
8references:
9 - https://www.mandiant.com/resources/blog/lnk-between-browsers
10 - https://wazuh.com/blog/detecting-xll-files-used-for-dropping-fin7-jssloader-with-wazuh/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-05-12
13tags:
14 - attack.execution
15 - attack.t1204.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\excel.exe'
22 ImageLoaded|contains:
23 # Note: Add or remove locations from this list based on your internal policy
24 - '\Desktop\'
25 - '\Downloads\'
26 - '\Perflogs\'
27 - '\Temp\'
28 - '\Users\Public\'
29 - '\Windows\Tasks\'
30 ImageLoaded|endswith: '.xll'
31 condition: selection
32falsepositives:
33 - Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations
34level: medium
References
-
Two pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something or...
Read More -
In this new blog post, we look at the behavior of the dropper XLL file and how Wazuh can detect this activity in your network.
Read More
Related rules
- Active Directory Kerberos DLL Loaded Via Office Application
- Active Directory Parsing DLL Loaded Via Office Application
- CLR DLL Loaded Via Office Applications
- DotNET Assembly DLL Loaded Via Office Application
- Download From Suspicious TLD - Blacklist