Swachchhanda Shrawan Poudel
4355ece230
remove: Active Directory Kerberos DLL Loaded Via Office Application - deprecated as it triggers on normal activity fix: Scheduled Task Creation Via Schtasks.EXE - add for for msoffice application fix: Use Short Name Path in Command Line - add filter for dotnet csc.exe fix: Potential Product Reconnaissance Via Wmic.EXE - add filter for some product related operation through wmic fix: WMIC Remote Command Execution - fix broken FP filter fix: Classes Autorun Keys Modification - filter null details fix: CurrentVersion Autorun Keys Modification - filter null details fix: Modification of IE Registry Settings - filter null details fix: Potential Persistence Via Shim Database Modification - filter null details fix: Scheduled TaskCache Change by Uncommon Program - filter null details update: Copy From Or To Admin Share Or Sysvol Folder - some logic change --------- Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
31 lines
998 B
YAML
31 lines
998 B
YAML
title: Active Directory Kerberos DLL Loaded Via Office Application
|
|
id: 7417e29e-c2e7-4cf6-a2e8-767228c64837
|
|
status: deprecated # In the AD Environment, kerberos.dll is loaded everytime an Office application is launched, so this rule is not useful.
|
|
description: Detects Kerberos DLL being loaded by an Office Product
|
|
references:
|
|
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
|
|
author: Antonlovesdnb
|
|
date: 2020-02-19
|
|
modified: 2025-10-22
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1204.002
|
|
logsource:
|
|
category: image_load
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
Image|endswith:
|
|
- '\excel.exe'
|
|
- '\mspub.exe'
|
|
- '\onenote.exe'
|
|
- '\onenoteim.exe' # Just in case
|
|
- '\outlook.exe'
|
|
- '\powerpnt.exe'
|
|
- '\winword.exe'
|
|
ImageLoaded|endswith: '\kerberos.dll'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: medium
|