Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Microsoft Excel Add-In Loaded From Uncommon Location

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri May 12af4c4609-5755-42fe-8075-4effb49f5d44windows
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|contains:
            # Note: Add or remove locations from this list based on your internal policy
            - '\Desktop\'
            - '\Downloads\'
            - '\Perflogs\'
            - '\Temp\'
            - '\Users\Public\'
            - '\Windows\Tasks\'
        ImageLoaded|endswith: '.xll'
    condition: selection
False Positives

Some tuning might be required to allow or remove certain locations used by the rule if you consider them as safe locations

References
1
Resolving title…
mandiant.com
2
Resolving title…
wazuh.com
MITRE ATT&CK
Related Rules
DerivedThreat Huntlow

Microsoft Excel Add-In Loaded

Detects Microsoft Excel loading an Add-In (.xll) file

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
af4c4609-5755-42fe-8075-4effb49f5d44
Status
test
Level
medium
Type
Detection
Created
Fri May 12
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/image_load/image_load_office_excel_xll_susp_load.yml
Raw Tags
attack.executionattack.t1204.002
View on GitHub