some legitimate excel add-ins and administrative tools may create xll files outside typical locations. review and allow approved applications to reduce false positives.

Techniques

Sample rules

Windows XLL File Creation Outside of Typical Location

source: splunk
technicques:
- T1129
- T1059

Description

Detects the creation of an XLL file outside of typical locations. This can indicate an attempt to abuse Excel COM objects to load and execute a malicious XLL.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Filesystem where

Filesystem.file_path="*.xll"

NOT Filesystem.file_path IN (
    "*:\\Program Files\\Microsoft Office\\*",
    "*\\AppData\\Roaming\\Microsoft\\AddIns\\*"
    )

by Filesystem.dest Filesystem.file_create_time Filesystem.process_path
   Filesystem.process_guid Filesystem.process_id Filesystem.file_path
   Filesystem.action Filesystem.file_name
   Filesystem.user Filesystem.vendor_product


| `drop_dm_object_name(Filesystem)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_xll_file_creation_outside_of_typical_location_filter`