5 Rules covering various macro techniques

- Rule to look for GAC DLL loaded by an Office Product
- Rule to look for any DLL in C:\Windows\assembly loaded by an Office Product
- Rule to look for clr.dll loaded by an Office Product
- Rule to look for directory services parsing dll loaded by an Office Product
- Rule to look for kerberos dll loaded by an Office Product

rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml

@@ -0,0 +1,28 @@
+title: dotNET DLL Loaded Via Office Applications
+id: ff0f2b05-09db-4095-b96d-1b75ca24894a
+status: experimental
+description: Detects any assembly DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial.access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*C:\Windows\assembly\'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml

@@ -0,0 +1,28 @@
+title: CLR DLL Loaded Via Office Applications
+id: d13c43f0-f66b-4279-8b2c-5912077c1780
+status: experimental
+description: Detects CLR DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial.access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*clr.dll*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml

@@ -0,0 +1,28 @@
+title: GAC DLL Loaded Via Office Applications
+id: 90217a70-13fc-48e4-b3db-0d836c5824ac
+status: experimental
+description: Detects any GAC DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial.access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml

@@ -0,0 +1,28 @@
+title: Active Directory Parsing DLL Loaded Via Office Applications
+id: a2a3b925-7bb0-433b-b508-db9003263cc4
+status: experimental
+description: Detects DSParse DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2020/02/19
+tags:
+    - attack.initial.access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*dsparse.dll*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high

rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml

@@ -0,0 +1,28 @@
+title: Active Directory Kerberos DLL Loaded Via Office Applications
+id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
+status: experimental
+description: Detects Kerberos DLL being loaded by an Office Product
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+author: Antonlovesdnb
+date: 2019/12/26
+tags:
+    - attack.initial.access
+    - attack.t1193
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*kerberos.dll*'
+    condition: selection
+falsepositives:
+    - Alerts on legitimate macro usage as well, will need to filter as appropriate
+level: high