Active Directory Kerberos DLL Loaded Via Office Application

 1title: Active Directory Kerberos DLL Loaded Via Office Application
 2id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
 3status: test
 4description: Detects Kerberos DLL being loaded by an Office Product
 5references:
 6    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
 7author: Antonlovesdnb
 8date: 2020-02-19
 9modified: 2023-03-28
10tags:
11    - attack.execution
12    - attack.t1204.002
13logsource:
14    category: image_load
15    product: windows
16detection:
17    selection:
18        Image|endswith:
19            - '\excel.exe'
20            - '\mspub.exe'
21            - '\onenote.exe'
22            - '\onenoteim.exe' # Just in case
23            - '\outlook.exe'
24            - '\powerpnt.exe'
25            - '\winword.exe'
26        ImageLoaded|endswith: '\kerberos.dll'
27    condition: selection
28falsepositives:
29    - Unknown
30level: medium

References

• Detecting Adversary Tradecraft with Image Load Event Logging and EQL

  

  While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…

  
  Read More

Related rules

• Active Directory Parsing DLL Loaded Via Office Application
• CLR DLL Loaded Via Office Applications
• DotNET Assembly DLL Loaded Via Office Application
• Download From Suspicious TLD - Blacklist
• Download From Suspicious TLD - Whitelist