← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential Arbitrary DLL Load Using Winword

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

Quality
84
FP risk
Forks
0
Views
0
ATT&CK techniques
T1202
Rule sourcerules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml
title: Potential Arbitrary DLL Load Using Winword
id: f7375e28-5c14-432f-b8d1-1db26c832df3
related:
    - id: 2621b3a6-3840-4810-ac14-a02426086171
      type: obsolete
status: test
description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
references:
    - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-03-29
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WINWORD.exe'
        - OriginalFileName: 'WinWord.exe'
    selection_dll:
        CommandLine|contains|all:
            - '/l '
            - '.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium