Microsoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Sigma rule (View on GitHub)
1title: Microsoft Office DLL Sideload
2id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
3status: test
4description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
5references:
6 - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
8date: 2022-08-17
9modified: 2023-03-15
10tags:
11 - attack.defense-evasion
12 - attack.persistence
13 - attack.privilege-escalation
14 - attack.t1574.001
15logsource:
16 category: image_load
17 product: windows
18detection:
19 selection:
20 ImageLoaded|endswith: '\outllib.dll'
21 filter:
22 ImageLoaded|startswith:
23 - 'C:\Program Files\Microsoft Office\OFFICE'
24 - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
25 - 'C:\Program Files\Microsoft Office\Root\OFFICE'
26 - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
27 condition: selection and not filter
28falsepositives:
29 - Unlikely
30level: high
References
-
HijackLibs provides an curated list of DLL Hijacking opportunities: mappings between DLLs and vulnerable executables, with additional metadata for more context. For defenders, this project can provide valuable information when trying to detect DLL Hijacking attempts; for red teamers, this project can help identify DLLs that can be used to achieve DLL Hijacking.
Read More
Related rules
- Creation Of Non-Existent System DLL
- DLL Search Order Hijackig Via Additional Space in Path
- DLL Sideloading Of ShellChromeAPI.DLL
- Malicious DLL File Dropped in the Teams or OneDrive Folder
- Potential 7za.DLL Sideloading