PowerShell Core DLL Loaded Via Office Application

calendar Apr 1, 2024 · attack.defense_evasion  ·
Share on: linkedin copy

Detects PowerShell core DLL being loaded by an Office Product

Sigma rule (View on GitHub)

 1title: PowerShell Core DLL Loaded Via Office Application
 2id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a
 3status: test
 4description: Detects PowerShell core DLL being loaded by an Office Product
 5references:
 6    - Internal Research
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/06/01
 9tags:
10    - attack.defense_evasion
11logsource:
12    category: image_load
13    product: windows
14detection:
15    selection:
16        Image|endswith:
17            - '\excel.exe'
18            - '\mspub.exe'
19            - '\outlook.exe'
20            - '\onenote.exe'
21            - '\onenoteim.exe' # Just in case
22            - '\powerpnt.exe'
23            - '\winword.exe'
24        ImageLoaded|contains:
25            - '\System.Management.Automation.Dll'
26            - '\System.Management.Automation.ni.Dll'
27    condition: selection
28falsepositives:
29    - Unknown
30level: medium

References

Related rules

to-top