Threat Huntlowtest
Microsoft Word Add-In Loaded
Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Hunting Hypothesis
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith: '\winword.exe'
ImageLoaded|endswith: '.wll'
condition: selectionFalse Positives
The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs.
MITRE ATT&CK
Rule Metadata
Rule ID
1337afba-d17d-4d23-bd55-29b927603b30
Status
test
Level
low
Type
Threat Hunt
Created
Wed Jul 10
Author
Path
rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml
Raw Tags
attack.executionattack.t1204.002detection.threat-hunting