diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml new file mode 100644 index 000000000..8a3b448c7 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -0,0 +1,28 @@ +title: dotNET DLL Loaded Via Office Applications +id: ff0f2b05-09db-4095-b96d-1b75ca24894a +status: experimental +description: Detects any assembly DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial.access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' + ImageLoaded: + - '*C:\Windows\assembly\' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml new file mode 100644 index 000000000..48a82e714 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -0,0 +1,28 @@ +title: CLR DLL Loaded Via Office Applications +id: d13c43f0-f66b-4279-8b2c-5912077c1780 +status: experimental +description: Detects CLR DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial.access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' + ImageLoaded: + - '*clr.dll*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml new file mode 100644 index 000000000..46f1ce1ac --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -0,0 +1,28 @@ +title: GAC DLL Loaded Via Office Applications +id: 90217a70-13fc-48e4-b3db-0d836c5824ac +status: experimental +description: Detects any GAC DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial.access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' + ImageLoaded: + - '*C:\Windows\Microsoft.NET\assembly\GAC_MSIL' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml new file mode 100644 index 000000000..d4df28cbd --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_office_dsparse_dll_load.yml @@ -0,0 +1,28 @@ +title: Active Directory Parsing DLL Loaded Via Office Applications +id: a2a3b925-7bb0-433b-b508-db9003263cc4 +status: experimental +description: Detects DSParse DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2020/02/19 +tags: + - attack.initial.access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' + ImageLoaded: + - '*dsparse.dll*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml new file mode 100644 index 000000000..4b6e01db0 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_office_kerberos_dll_load.yml @@ -0,0 +1,28 @@ +title: Active Directory Kerberos DLL Loaded Via Office Applications +id: 7417e29e-c2e7-4cf6-a2e8-767228c64837 +status: experimental +description: Detects Kerberos DLL being loaded by an Office Product +references: + - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16 +author: Antonlovesdnb +date: 2019/12/26 +tags: + - attack.initial.access + - attack.t1193 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 7 + Image: + - '*\winword.exe' + - '*\powerpnt.exe' + - '*\excel.exe' + - '*\outlook.exe' + ImageLoaded: + - '*kerberos.dll*' + condition: selection +falsepositives: + - Alerts on legitimate macro usage as well, will need to filter as appropriate +level: high \ No newline at end of file