The hypothesis is that an adversary is leveraging Office applications to load a CLR DLL as part of a code execution or persistence mechanism. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential malware or malicious payloads being executed under the guise of legitimate Office activity.
Detection Rule
title: CLR DLL Loaded Via Office Applications
id: d13c43f0-f66b-4279-8b2c-5912077c1780
status: test
description: Detects CLR DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\outlook.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains: '\clr.dll'
condition: selection
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and FolderPath contains "\\clr.dll"Scenario: A system administrator uses PowerShell to load a CLR DLL as part of a script that automates report generation for the finance department.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "WindowsPowerShell.exe"
Scenario: A scheduled task runs a .NET application that is part of a regular data processing job, which loads a CLR DLL as part of its operation.
Filter/Exclusion: process.parent.name == "schtasks.exe" OR process.name == "taskeng.exe"
Scenario: A developer uses Visual Studio to debug a .NET application that is integrated with an Office add-in, which loads a CLR DLL during debugging.
Filter/Exclusion: process.name == "devenv.exe" OR process.parent.name == "devenv.exe"
Scenario: A Microsoft SQL Server Integration Services (SSIS) package is executed via SQL Server Agent, and it loads a CLR DLL as part of data transformation.
Filter/Exclusion: process.name == "sqlagent.exe" OR process.parent.name == "sqlservr.exe"
Scenario: An Exchange Online PowerShell session is used to run a script that loads a CLR DLL for custom email processing or compliance tasks.
Filter/Exclusion: process.name == "powershell.exe" AND process.parent.name == "powershell.exe" AND process.command_line contains "ExchangeOnlineManagementModule"