valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9625a94d0b
SigmaHQ/rules/windows/sysmon/sysmon_susp_winword_wmidll_load.yml
Florian Roth d42e87edd7 fix: fixed casing and long rule titles
2020-01-30 17:26:09 +01:00

35 lines
1.2 KiB
YAML
Raw Blame History

title: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word
id: a457f232-7df9-491d-898f-b5aabd2cbe2f
status: experimental
description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
- https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/
- https://media.cert.europa.eu/static/SecurityAdvisories/2019/CERT-EU-SA2019-021.pdf
author: Michael R. (@nahamike01)
date: 2019/12/26
tags:
- attack.execution
- attack.t1047
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 7
Image:
- '*\winword.exe'
- '*\powerpnt.exe'
- '*\excel.exe'
- '*\outlook.exe'
ImageLoaded:
- '*\wmiutils.dll'
- '*\wbemcomn.dll'
- '*\wbemprox.dll'
- '*\wbemdisp.dll'
- '*\wbemsvc.dll'
condition: selection
falsepositives:
- Possible. Requires further testing.
level: high
Reference in New Issue View Git Blame Copy Permalink