The hypothesis is that an adversary is leveraging Office applications to load malicious .NET assemblies, potentially executing arbitrary code within the environment. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential code execution threats that bypass traditional endpoint defenses.
Detection Rule
title: DotNET Assembly DLL Loaded Via Office Application
id: ff0f2b05-09db-4095-b96d-1b75ca24894a
status: test
description: Detects any assembly DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-03-29
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\assembly\'
condition: selection
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and FolderPath startswith "C:\\Windows\\assembly\\"Scenario: A system administrator uses PowerShell to load a .dll file as part of a script that configures Office add-ins.
Filter/Exclusion: Exclude processes where the parent process is powershell.exe and the script path contains AddInConfig.ps1 or similar administrative scripts.
Scenario: A scheduled task runs a legacy .NET application that loads a DLL to perform routine data processing, such as generating reports in Excel.
Filter/Exclusion: Exclude processes where the parent process is schtasks.exe and the task name contains ReportGenerator or similar job names.
Scenario: A developer uses Visual Studio to debug an Office add-in, which dynamically loads a DLL for testing purposes.
Filter/Exclusion: Exclude processes where the parent process is devenv.exe and the process name contains Debug or Test.
Scenario: A Windows Service that runs an Office automation task (e.g., generating Word documents) loads a DLL as part of its operation.
Filter/Exclusion: Exclude processes where the parent process is services.exe and the service name contains OfficeAutomationService or similar.
Scenario: A Group Policy deployment uses Group Policy Preferences to deploy a custom DLL to all client machines, which is loaded by an Office application during startup.
Filter/Exclusion: Exclude processes where the parent process is gpupdate.exe or msiexec.exe and the DLL path is within a known GPO deployment directory.