Potential Arbitrary DLL Load Using Winword
Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
Sigma rule (View on GitHub)
1title: Potential Arbitrary DLL Load Using Winword
2id: f7375e28-5c14-432f-b8d1-1db26c832df3
3related:
4 - id: 2621b3a6-3840-4810-ac14-a02426086171
5 type: obsolete
6status: test
7description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
8references:
9 - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
10author: Victor Sergeev, oscd.community
11date: 2020-10-09
12modified: 2023-03-29
13tags:
14 - attack.defense-evasion
15 - attack.t1202
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\WINWORD.exe'
22 - OriginalFileName: 'WinWord.exe'
23 selection_dll:
24 CommandLine|contains|all:
25 - '/l '
26 - '.dll'
27 condition: all of selection_*
28falsepositives:
29 - Unknown
30level: medium
References
-
Gives you one-liners that aids in penetration testing operations, privilege escalation and more - D4Vinci/One-Lin3r
Read More
Related rules
- Custom File Open Handler Executes PowerShell
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Inline Command Execution Via Bash.EXE