detection.wiki

Detection rules › Sigma

DotNET Assembly DLL Loaded Via Office Application

Severity
medium
Author
Antonlovesdnb
Source
upstream

Detects any assembly DLL being loaded by an Office Product

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1204.002 User Execution: Malicious File

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\excel.exe'
Image|endswith: '\mspub.exe'
Image|endswith: '\onenote.exe'
Image|endswith: '\onenoteim.exe'
Image|endswith: '\outlook.exe'
Image|endswith: '\powerpnt.exe'
Image|endswith: '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\assembly\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \excel.exe corpus 16 (sigma 16)
  • \mspub.exe corpus 7 (sigma 7)
  • \onenote.exe corpus 6 (sigma 6)
  • \onenoteim.exe corpus 6 (sigma 6)
  • \outlook.exe corpus 16 (sigma 16)
  • \powerpnt.exe corpus 13 (sigma 13)
  • \winword.exe corpus 17 (sigma 17)
ImageLoadedstarts_with
  • C:\Windows\assembly\