Initial Upload

Submit Sigma Rule For Detecting Word Loading WMI DLL's.

rules/windows/sysmon/win_susp_winword_wmidll_load.yml

@@ -0,0 +1,35 @@
+
+title: Suspicious Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
+status: experimental
+description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+    - https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
+    - https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
+author: Michael R. @nahamike01
+date: 2019/12/26
+tags:
+    - attack.wmi
+    - attack.t1047
+logsource:
+    product: windows
+    service: sysmon
+    category: image_load
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*\wmiutils.dll'
+            - '*\wbemcomn.dll'
+            - '*\wbemprox.dll'
+            - '*\wbemdisp.dll'
+            - '*\wbemsvc.dll'
+    condition: selection
+falsepositives:
+    - May Contain FP's, tuning probably required.
+level: high