Adversaries may leverage GAC DLLs loaded via Office applications to execute arbitrary code with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential persistence mechanisms and mitigate advanced threats that exploit trusted execution paths.
Detection Rule
title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
DeviceImageLoadEvents
| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and FolderPath startswith "C:\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL"Scenario: Scheduled Task Running a Legacy Reporting Tool
Description: A scheduled task runs a legacy reporting tool (e.g., Microsoft Excel Services) that loads a GAC DLL for data processing.
Filter/Exclusion: process.name != "ExcelServices.exe" or process.name != "Excel.exe"
Scenario: System Update or Patch Installation
Description: A Windows update or patch installation process (e.g., wusa.exe) temporarily loads a GAC DLL as part of the update process.
Filter/Exclusion: process.name != "wusa.exe" or process.name != "msiexec.exe"
Scenario: Microsoft Office Add-in Deployment
Description: An admin deploys a custom Microsoft Office add-in (e.g., using Add-in Manager or Office Deployment Tool) that references a GAC DLL.
Filter/Exclusion: process.name != "setup.exe" or process.name != "OfficeCustomization.exe"
Scenario: PowerShell Script Loading GAC DLL for Automation
Description: A PowerShell script (e.g., PowerShell.exe) is used to load a GAC DLL for automation tasks such as data export/import.
Filter/Exclusion: process.name != "powershell.exe" or process.name != "pwsh.exe" with a custom process.command_line filter.
Scenario: Admin Task Using GAC DLL for Compliance Reporting
Description: A system admin runs a compliance reporting tool (e.g., Microsoft Compliance Manager) that uses a GAC DLL to generate reports.
Filter/Exclusion: process.name != "ComplianceManager.exe" or process.name != "ReportServer.exe"