Merge pull request #583 from msec1203/msec1203-submit-rule1

MS Office Doc Load WMI DLL Rule

rules/windows/sysmon/win_susp_winword_wmidll_load.yml

@@ -0,0 +1,34 @@
+title: Suspicious Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
+id: a457f232-7df9-491d-898f-b5aabd2cbe2f
+status: experimental
+description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
+references:
+    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
+    - https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
+    - https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
+author: Michael R. (@nahamike01)
+date: 2019/12/26
+tags:
+    - attack.execution
+    - attack.t1047
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 7
+        Image:
+            - '*\winword.exe'
+            - '*\powerpnt.exe'
+            - '*\excel.exe'
+            - '*\outlook.exe'
+        ImageLoaded:
+            - '*\wmiutils.dll'
+            - '*\wbemcomn.dll'
+            - '*\wbemprox.dll'
+            - '*\wbemdisp.dll'
+            - '*\wbemsvc.dll'
+    condition: selection
+falsepositives:
+    - Possible. Requires further testing.
+level: high