detection.wiki

Detection rules › Sigma

VBA DLL Loaded Via Office Application

Severity
high
Author
Antonlovesdnb
Source
upstream

Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1204.002 User Execution: Malicious File

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: selection

or:
Image|endswith: '\excel.exe'
Image|endswith: '\mspub.exe'
Image|endswith: '\onenote.exe'
Image|endswith: '\onenoteim.exe'
Image|endswith: '\outlook.exe'
Image|endswith: '\powerpnt.exe'
Image|endswith: '\winword.exe'
or:
ImageLoaded|endswith: '\VBE7.DLL'
ImageLoaded|endswith: '\VBE7INTL.DLL'
ImageLoaded|endswith: '\VBEUI.DLL'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Imageends_with
  • \excel.exe corpus 16 (sigma 16)
  • \mspub.exe corpus 7 (sigma 7)
  • \onenote.exe corpus 6 (sigma 6)
  • \onenoteim.exe corpus 6 (sigma 6)
  • \outlook.exe corpus 16 (sigma 16)
  • \powerpnt.exe corpus 13 (sigma 13)
  • \winword.exe corpus 17 (sigma 17)
ImageLoadedends_with
  • \VBE7.DLL
  • \VBE7INTL.DLL
  • \VBEUI.DLL