detection.wiki

Detection rules › Splunk

Windows Office Product Loading VBE7 DLL

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1566.001 Phishing: Spearphishing Attachment

Event coverage

ProviderEvent IDTitle
Sysmon7Image loaded

Stages and Predicates

Stage 1: search

search EventCode=7 loaded_file_path IN ("*\\VBE7.DLL", "*\\VBE7INTL.DLL", "*\\VBEUI.DLL") process_name IN ("EQNEDT32.exe", "Graph.exe", "excel.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")

Stage 2: fillnull

fillnull

Stage 3: stats

stats BY Image, ImageLoaded, dest, loaded_file, loaded_file_path, original_file_name, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product

Stage 4: search

search

Stage 5: search

search

Stage 6: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 7 corpus 35 (splunk 35)
loaded_file_pathin
  • "*\\VBE7.DLL"
  • "*\\VBE7INTL.DLL"
  • "*\\VBEUI.DLL"
process_namein
  • "EQNEDT32.exe" corpus 5 (splunk 5)
  • "Graph.exe" corpus 5 (splunk 5)
  • "excel.exe" corpus 5 (splunk 5)
  • "msaccess.exe" corpus 5 (splunk 5)
  • "mspub.exe" corpus 5 (splunk 5)
  • "onenote.exe" corpus 5 (splunk 5)
  • "onenoteim.exe" corpus 5 (splunk 5)
  • "onenotem.exe" corpus 5 (splunk 5)
  • "outlook.exe" corpus 5 (splunk 5)
  • "powerpnt.exe" corpus 5 (splunk 5)
  • "visio.exe" corpus 5 (splunk 5)
  • "winproj.exe" corpus 5 (splunk 5)
  • "winword.exe" corpus 5 (splunk 5)

Neighbors

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.