sigmahighHunting

GAC DLL Loaded Via Office Applications

Detects any GAC DLL being loaded by an Office Product

MITRE ATT&CK

execution

Detection Query

selection:
  Image|endswith:
    - \excel.exe
    - \mspub.exe
    - \onenote.exe
    - \onenoteim.exe
    - \outlook.exe
    - \powerpnt.exe
    - \winword.exe
  ImageLoaded|startswith: C:\Windows\Microsoft.NET\assembly\GAC_MSIL
condition: selection

Author

Antonlovesdnb

Created

2020-02-19

Data Sources

windowsImage Load Events

Platforms

windows

References

https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16

Tags

attack.executionattack.t1204.002

Raw Content

title: GAC DLL Loaded Via Office Applications
id: 90217a70-13fc-48e4-b3db-0d836c5824ac
status: test
description: Detects any GAC DLL being loaded by an Office Product
references:
    - https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16
author: Antonlovesdnb
date: 2020-02-19
modified: 2023-02-10
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: image_load
    product: windows
detection:
    selection:
        Image|endswith:
            - '\excel.exe'
            - '\mspub.exe'
            - '\onenote.exe'
            - '\onenoteim.exe' # Just in case
            - '\outlook.exe'
            - '\powerpnt.exe'
            - '\winword.exe'
        ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL'
    condition: selection
falsepositives:
    - Legitimate macro usage. Add the appropriate filter according to your environment
level: high