VBA DLL Loaded Via Office Application
Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
Sigma rule (View on GitHub)
1title: VBA DLL Loaded Via Office Application
2id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
3status: test
4description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
5references:
6 - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
7author: Antonlovesdnb
8date: 2020/02/19
9modified: 2023/02/10
10tags:
11 - attack.execution
12 - attack.t1204.002
13logsource:
14 category: image_load
15 product: windows
16detection:
17 selection:
18 Image|endswith:
19 - '\excel.exe'
20 - '\mspub.exe'
21 - '\onenote.exe'
22 - '\onenoteim.exe' # Just in case
23 - '\outlook.exe'
24 - '\powerpnt.exe'
25 - '\winword.exe'
26 ImageLoaded|endswith:
27 - '\VBE7.DLL'
28 - '\VBEUI.DLL'
29 - '\VBE7INTL.DLL'
30 condition: selection
31falsepositives:
32 - Legitimate macro usage. Add the appropriate filter according to your environment
33level: high
References
-
While examining some malicious Microsoft Office and PE files to look for detection opportunities, I came across a few samples where…
Read More
Related rules
- GAC DLL Loaded Via Office Applications
- Flash Player Update from Suspicious Location
- Suspicious User-Initiated Process Execution on External Drive (Old)
- Suspicious User-Initiated Process Execution on External Drive (Sysmon)
- File Was Not Allowed To Run