valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
4260d01ff0
SigmaHQ/rules/windows/sysmon/win_susp_winword_wmidll_load.yml
msec1203 4260d01ff0 Initial Upload 
Submit Sigma Rule For Detecting Word Loading WMI DLL's.
2020-01-24 15:31:06 +01:00

36 lines
1.1 KiB
YAML
Raw Blame History

title: Suspicious Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
status: experimental
description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
author: Michael R. @nahamike01
date: 2019/12/26
tags:
- attack.wmi
- attack.t1047
logsource:
product: windows
service: sysmon
category: image_load
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- '*\wmiutils.dll'
- '*\wbemcomn.dll'
- '*\wbemprox.dll'
- '*\wbemdisp.dll'
- '*\wbemsvc.dll'
condition: selection
falsepositives:
- May Contain FP's, tuning probably required.
level: high
Reference in New Issue View Git Blame Copy Permalink