LoFP / some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations

Techniques

• t1204
• t1204.002

Sample rules

Microsoft Excel Add-In Loaded From Uncommon Location

• source: sigma
• technicques:
  • t1204
  • t1204.002

Description

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Detection logic

condition: selection
selection:
  ImageLoaded|contains:
  - \Desktop\
  - \Downloads\
  - \Perflogs\
  - \Temp\
  - \Users\Public\
  - \Windows\Tasks\
  ImageLoaded|endswith: .xll
  Image|endswith: \excel.exe