Microsoft Office DLL Sideload
Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
Sigma rule (View on GitHub)
1title: Microsoft Office DLL Sideload
2id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
3status: test
4description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
5references:
6 - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
7author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
8date: 2022/08/17
9modified: 2023/03/15
10tags:
11 - attack.defense_evasion
12 - attack.persistence
13 - attack.privilege_escalation
14 - attack.t1574.001
15 - attack.t1574.002
16logsource:
17 category: image_load
18 product: windows
19detection:
20 selection:
21 ImageLoaded|endswith: '\outllib.dll'
22 filter:
23 ImageLoaded|startswith:
24 - 'C:\Program Files\Microsoft Office\OFFICE'
25 - 'C:\Program Files (x86)\Microsoft Office\OFFICE'
26 - 'C:\Program Files\Microsoft Office\Root\OFFICE'
27 - 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
28 condition: selection and not filter
29falsepositives:
30 - Unlikely
31level: high
References
Related rules
- Potential Antivirus Software DLL Sideloading
- Creation Of Non-Existent System DLL
- Potential DLL Sideloading Of Non-Existent DLLs From System Folders
- Third Party Software DLL Sideloading
- DLL Sideloading Of ShellChromeAPI.DLL