-
-
Notifications
You must be signed in to change notification settings - Fork 203
Expand file tree
/
Copy pathdefense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml
More file actions
41 lines (38 loc) · 1.5 KB
/
defense_evasion_dll_sideloading_via_microsoft_office_dropped_file.yml
File metadata and controls
41 lines (38 loc) · 1.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: DLL Side-Loading via Microsoft Office dropped file
id: d808175d-c4f8-459d-b17f-ca9a88890c04
version: 1.0.5
description: |
Identifies Microsoft Office process creating a DLL or other variant of an executable object which
is later loaded by a trusted binary. Adversaries may exploit this behavior by delivering malicious
modules via Microsoft Office documents.
labels:
tactic.id: TA0005
tactic.name: Defense Evasion
tactic.ref: https://attack.mitre.org/tactics/TA0005/
technique.id: T1574
technique.name: Hijack Execution Flow
technique.ref: https://attack.mitre.org/techniques/T1574/
subtechnique.id: T1574.002
subtechnique.name: DLL Side-Loading
subtechnique.ref: https://attack.mitre.org/techniques/T1574/002/
condition: >
sequence
maxspan 6m
|create_file and
ps.name iin msoffice_binaries and
(file.extension iin ('.dll', '.cpl', '.ocx') or file.is_dll)
| by file.path
|(load_unsigned_or_untrusted_dll) and
ps.name not iin msoffice_binaries and ps.signature.trusted = true and
dll.path not imatches '?:\\Windows\\assembly\\NativeImages_*' and
ps.exe not imatches
(
'?:\\Windows\\System32\\msiexec.exe',
'?:\\Windows\\SysWOW64\\msiexec.exe',
'?:\\Windows\\System32\\spoolsv.exe'
)
| by dll.path
output: >
Suspicious DLL %1.file.path dropped by Microsoft Office process %1.ps.exe and subsequently loaded by process %2.ps.exe
severity: high
min-engine-version: 3.0.0