Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowtest

Microsoft Excel Add-In Loaded

Detects Microsoft Excel loading an Add-In (.xll) file

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Fri May 12c5f4b5cb-4c25-4249-ba91-aa03626e3185windows
Hunting Hypothesis
Log Source
WindowsImage Load (DLL)
ProductWindows← raw: windows
CategoryImage Load (DLL)← raw: image_load
Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\excel.exe'
        ImageLoaded|endswith: '.xll'
    condition: selection
False Positives

The rules is only looking for ".xll" loads. So some false positives are expected with legitimate and allowed XLLs

References
1
Resolving title…
mandiant.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
c5f4b5cb-4c25-4249-ba91-aa03626e3185
Status
test
Level
low
Type
Threat Hunt
Created
Fri May 12
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml
Raw Tags
attack.executionattack.t1204.002detection.threat-hunting
View on GitHub