The detection of a VBA DLL loaded via an Office application may indicate the execution of malicious VBA macros used for initial compromise or payload delivery. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversarial activity leveraging Office applications as a vector for exploitation.
Detection Rule
title: VBA DLL Loaded Via Office Application
id: e6ce8457-68b1-485b-9bdd-3c2b5d679aa9
status: test
description: Detects VB DLL's loaded by an office application. Which could indicate the presence of VBA Macros.
references:
- https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
- attack.execution
- attack.t1204.002
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith:
- '\excel.exe'
- '\mspub.exe'
- '\onenote.exe'
- '\onenoteim.exe' # Just in case
- '\outlook.exe'
- '\powerpnt.exe'
- '\winword.exe'
ImageLoaded|endswith:
- '\VBE7.DLL'
- '\VBEUI.DLL'
- '\VBE7INTL.DLL'
condition: selection
falsepositives:
- Legitimate macro usage. Add the appropriate filter according to your environment
level: high
DeviceImageLoadEvents
| where (InitiatingProcessFolderPath endswith "\\excel.exe" or InitiatingProcessFolderPath endswith "\\mspub.exe" or InitiatingProcessFolderPath endswith "\\onenote.exe" or InitiatingProcessFolderPath endswith "\\onenoteim.exe" or InitiatingProcessFolderPath endswith "\\outlook.exe" or InitiatingProcessFolderPath endswith "\\powerpnt.exe" or InitiatingProcessFolderPath endswith "\\winword.exe") and (FolderPath endswith "\\VBE7.DLL" or FolderPath endswith "\\VBEUI.DLL" or FolderPath endswith "\\VBE7INTL.DLL")Scenario: Scheduled Task Running Excel Macro for Reporting
Description: A legitimate scheduled task uses Excel to generate reports via VBA macros.
Filter/Exclusion: Exclude processes associated with the task scheduler and specific Excel workbook paths used for reporting (e.g., C:\Reports\*.xlsm).
Example Filter: process.parent_process_name == "schtasks.exe" && process.name == "excel.exe" && process.path == "C:\Reports\*"
Scenario: System Admin Using VBA for Automation
Description: An admin uses VBA scripts in Excel to automate system administration tasks (e.g., user provisioning).
Filter/Exclusion: Exclude processes initiated by admin accounts with known automation scripts (e.g., C:\AdminTools\*.xlsm).
Example Filter: process.user == "Administrator" && process.name == "excel.exe" && process.path == "C:\AdminTools\*"
Scenario: Office Add-in with Embedded VBA
Description: A legitimate office add-in (e.g., from Microsoft or a trusted vendor) contains VBA code for enhanced functionality.
Filter/Exclusion: Exclude processes associated with known trusted add-ins (e.g., Microsoft Office Add-in).
Example Filter: process.name == "excel.exe" && process.parent_process_name == "winword.exe" && process.add_in_name == "Microsoft Office Add-in"
Scenario: Database Export Using Excel VBA
Description: A database administrator uses Excel VBA to export data from a database to CSV or other formats.
Filter/Exclusion: Exclude processes that match known export scripts or paths (e.g., C:\DBExports\*.xlsm).
Example Filter: `process.name == “excel.exe” && process.path == “C:\DBExports\