Techniques
Sample rules
VBA DLL Loaded Via Office Application
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects VB DLL’s loaded by an office application. Which could indicate the presence of VBA Macros.
Detection logic
condition: selection
selection:
ImageLoaded|endswith:
- \VBE7.DLL
- \VBEUI.DLL
- \VBE7INTL.DLL
Image|endswith:
- \excel.exe
- \mspub.exe
- \onenote.exe
- \onenoteim.exe
- \outlook.exe
- \powerpnt.exe
- \winword.exe
Microsoft VBA For Outlook Addin Loaded Via Outlook
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects outlvba (Microsoft VBA for Outlook Addin) DLL being loaded by the outlook process
Detection logic
condition: selection
selection:
ImageLoaded|endswith: \outlvba.dll
Image|endswith: \outlook.exe
GAC DLL Loaded Via Office Applications
- source: sigma
- technicques:
- t1204
- t1204.002
Description
Detects any GAC DLL being loaded by an Office Product
Detection logic
condition: selection
selection:
ImageLoaded|startswith: C:\Windows\Microsoft.NET\assembly\GAC_MSIL
Image|endswith:
- \excel.exe
- \mspub.exe
- \onenote.exe
- \onenoteim.exe
- \outlook.exe
- \powerpnt.exe
- \winword.exe