false positives may occur if legitimate office documents are executing macro code. ensure to investigate the macro code and the command to be executed. if the macro code is benign, add the document name to the exclusion list. some applications may legitimately load vbe7intl.dll, vbe7.dll, or vbeui.dll.

Techniques

T1566.001

Sample rules

Windows Office Product Loading VBE7 DLL

source: splunk
technicques:
- T1566.001

Description

The following analytic identifies office documents executing macro code. It leverages Sysmon EventCode 7 to detect when processes like WINWORD.EXE or EXCEL.EXE load specific DLLs associated with macros (e.g., VBE7.DLL). This activity is significant because macros are a common attack vector for delivering malicious payloads, such as malware. If confirmed malicious, this could lead to unauthorized code execution, data exfiltration, or further compromise of the system. Disabling macros by default is recommended to mitigate this risk.

Detection logic

`sysmon` EventCode=7 process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") loaded_file_path IN ("*\\VBE7INTL.DLL", "*\\VBE7.DLL", "*\\VBEUI.DLL") 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_office_product_loading_vbe7_dll_filter`