Adversaries may use an Office application to load a PowerShell Core DLL as part of a persistence or execution tactic. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command and control activities that evade traditional detection methods.
Detection Rule
title: PowerShell Core DLL Loaded Via Office Application
id: bb2ba6fb-95d4-4a25-89fc-30bb736c021a
status: test
description: Detects PowerShell core DLL being loaded by an Office Product
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-01
tags:
- attack.defense-evasion
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\outlook.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|contains:
- '\System.Management.Automation.Dll'
- '\System.Management.Automation.ni.Dll'
condition: selection
falsepositives:
- Unknown
level: medium
DeviceImageLoadEvents
| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (FolderPath contains "\\System.Management.Automation.Dll" or FolderPath contains "\\System.Management.Automation.ni.Dll")Scenario: A system administrator uses PowerShell ISE to run a script that loads powershell.exe via a Process.Start call for debugging purposes.
Filter/Exclusion: Check for Process.Start calls originating from powershell_ise.exe or scripts with a known admin task tag (e.g., AdminTask_Debugging).
Scenario: A scheduled task runs a script that uses Microsoft Excel to load a PowerShell DLL as part of a data processing workflow.
Filter/Exclusion: Filter events where the parent process is excel.exe and the script path is known to be part of a legitimate data processing tool (e.g., DataProcessingScript.ps1).
Scenario: A Microsoft Word macro is used to launch a PowerShell script that loads the core DLL as part of a document automation process.
Filter/Exclusion: Exclude events where the parent process is winword.exe and the script is associated with a known automation tool (e.g., DocumentAutomation.ps1).
Scenario: A PowerShell module is loaded via PowerShell Core as part of a regular system maintenance task, such as updating system configurations.
Filter/Exclusion: Filter events where the script is signed by a trusted certificate or comes from a known system module directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\Modules).
Scenario: A Microsoft Outlook add-in triggers a PowerShell script that loads the core DLL to automate email processing.
Filter/Exclusion: Exclude events where the parent process is outlook.exe and the script is part of a known add-in or third-party tool (e.g., EmailAutomation.ps1).