SigmaHQ/rules/windows/sysmon/sysmon_susp_winword_vbadll_load.yml

title: VBA DLL Loaded Via Microsoft Word
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: experimental
description: Detects DLL's Loaded Via Word Containing VBA Macros
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2019/12/26
tags:
    - attack.initial.access
    - attack.t1193
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 7
        Image:
            - '*\winword.exe'
            - '*\powerpnt.exe'
            - '*\excel.exe'
            - '*\outlook.exe'
        ImageLoaded:
            - '*\VBE7.DLL'
            - '*\VBEUI.DLL'
            - '*\VBE7INTL.DLL'
    condition: selection
falsepositives:
    - Alerts on legitimate macro usage as well, will need to filter as appropriate
level: high
Add files via upload 2020-02-19 15:13:44 +00:00			`title: VBA DLL Loaded Via Microsoft Word`
			`id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9`
			`status: experimental`
			`description: Detects DLL's Loaded Via Word Containing VBA Macros`
			`references:`
			`- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16`
			`author: Antonlovesdnb`
			`date: 2019/12/26`
			`tags:`
			`- attack.initial.access`
			`- attack.t1193`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`selection:`
			`EventID: 7`
			`Image:`
			`- '*\winword.exe'`
			`- '*\powerpnt.exe'`
			`- '*\excel.exe'`
			`- '*\outlook.exe'`
			`ImageLoaded:`
			`- '*\VBE7.DLL'`
			`- '*\VBEUI.DLL'`
			`- '*\VBE7INTL.DLL'`
			`condition: selection`
			`falsepositives:`
			`- Alerts on legitimate macro usage as well, will need to filter as appropriate`
			`level: high`