sigmamediumHunting

Potential Arbitrary DLL Load Using Winword

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

MITRE ATT&CK

defense-evasion

Detection Query

selection_img:
  - Image|endswith: \WINWORD.exe
  - OriginalFileName: WinWord.exe
selection_dll:
  CommandLine|contains|all:
    - "/l "
    - .dll
condition: all of selection_*

Author

Victor Sergeev, oscd.community

Created

2020-10-09

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py

Tags

attack.defense-evasionattack.t1202

Raw Content

title: Potential Arbitrary DLL Load Using Winword
id: f7375e28-5c14-432f-b8d1-1db26c832df3
related:
    - id: 2621b3a6-3840-4810-ac14-a02426086171
      type: obsolete
status: test
description: Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.
references:
    - https://github.com/D4Vinci/One-Lin3r/blob/9fdfa5f0b9c698dfbd4cdfe7d2473192777ae1c6/one_lin3r/core/liners/windows/cmd/dll_loader_word.py
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2023-03-29
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\WINWORD.exe'
        - OriginalFileName: 'WinWord.exe'
    selection_dll:
        CommandLine|contains|all:
            - '/l '
            - '.dll'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium