← Back to Explore
sigmalowHunting
Microsoft Word Add-In Loaded
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
Detection Query
selection:
Image|endswith: \winword.exe
ImageLoaded|endswith: .wll
condition: selection
Author
Steffen Rogge (dr0pd34d)
Created
2024-07-10
Data Sources
windowsImage Load Events
Platforms
windows
References
Tags
attack.executionattack.t1204.002detection.threat-hunting
Raw Content
title: Microsoft Word Add-In Loaded
id: 1337afba-d17d-4d23-bd55-29b927603b30
status: test
description: |
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
references:
- https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
- https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file
author: Steffen Rogge (dr0pd34d)
date: 2024-07-10
tags:
- attack.execution
- attack.t1204.002
- detection.threat-hunting
logsource:
category: image_load
product: windows
detection:
selection:
Image|endswith: '\winword.exe'
ImageLoaded|endswith: '.wll'
condition: selection
falsepositives:
- The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs.
level: low