Adversaries may sideload malicious DLLs from non-standard locations to execute code in the context of legitimate Microsoft Office applications, leveraging the trust associated with these files. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential code execution attacks that bypass traditional detection mechanisms.
Detection Rule
title: Microsoft Office DLL Sideload
id: 829a3bdf-34da-4051-9cf4-8ed221a8ae4f
status: test
description: Detects DLL sideloading of DLLs that are part of Microsoft Office from non standard location
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
author: Nasreddine Bencherchali (Nextron Systems), Wietze Beukema (project and research)
date: 2022-08-17
modified: 2023-03-15
tags:
- attack.defense-evasion
- attack.persistence
- attack.privilege-escalation
- attack.t1574.001
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith: '\outllib.dll'
filter:
ImageLoaded|startswith:
- 'C:\Program Files\Microsoft Office\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\OFFICE'
- 'C:\Program Files\Microsoft Office\Root\OFFICE'
- 'C:\Program Files (x86)\Microsoft Office\Root\OFFICE'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
DeviceImageLoadEvents
| where FolderPath endswith "\\outllib.dll" and (not((FolderPath startswith "C:\\Program Files\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\OFFICE" or FolderPath startswith "C:\\Program Files\\Microsoft Office\\Root\\OFFICE" or FolderPath startswith "C:\\Program Files (x86)\\Microsoft Office\\Root\\OFFICE")))Scenario: A system administrator deploys a custom script using PowerShell to update Office templates across the network.
Filter/Exclusion: Exclude processes with ProcessName equal to powershell.exe and CommandLine containing Update-OfficeTemplate or similar administrative scripts.
Scenario: A Scheduled Task runs a legacy application that dynamically loads Microsoft Office DLLs from a local directory for compatibility reasons.
Filter/Exclusion: Exclude processes with ProcessName equal to schtasks.exe or Task Scheduler and where the FilePath is known to be a legitimate internal tool or legacy application.
Scenario: A Microsoft System Center Configuration Manager (SCCM) deployment package includes a custom DLL that interacts with Office components during software installation.
Filter/Exclusion: Exclude processes with ProcessName equal to ccmexec.exe or smsexec.exe and where the ParentProcess is a known SCCM service or deployment tool.
Scenario: An IT support tool like Microsoft Endpoint Manager (MEM) or Intune uses a custom DLL to manage Office settings, which is loaded from a non-standard location.
Filter/Exclusion: Exclude processes with ProcessName equal to intunewin.exe or memagent.exe and where the ParentProcess is a known Microsoft Endpoint Management component.
Scenario: A third-party software update tool (e.g., Microsoft Application Virtualization (App-V) or Microsoft Deployment Toolkit (MDT)) loads Office DLLs during an update or configuration process.
Filter/Exclusion: Exclude processes with ProcessName equal to AppVClient.exe, MDT.exe, or setup.exe and where the ParentProcess is a known deployment or virtualization tool.