Detectionmediumtest

Potential Arbitrary DLL Load Using Winword

Detects potential DLL sideloading using the Microsoft Office winword process via the '/l' flag.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Victor Sergeev, oscd.communityCreated Fri Oct 09Updated Wed Mar 29f7375e28-5c14-432f-b8d1-1db26c832df3windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\WINWORD.exe'
        - OriginalFileName: 'WinWord.exe'
    selection_dll:
        CommandLine|contains|all:
            - '/l '
            - '.dll'
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1202 · Indirect Command Execution

Related Rules

Similar

2621b3a6-3840-4810-ac14-a02426086171

Rule not found

Rule Metadata

Rule ID

f7375e28-5c14-432f-b8d1-1db26c832df3

Status

test

Level

medium

Type

Detection

Created

Fri Oct 09

Modified

Wed Mar 29

Author

Victor Sergeev, oscd.community

Path

rules/windows/process_creation/proc_creation_win_office_winword_dll_load.yml

Raw Tags

attack.defense-evasionattack.t1202

View on GitHub