Merge PR #4910 from @dr0pd34d - Add Microsoft Word Add-In Loaded

new: Microsoft Word Add-In Loaded --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
SigmaHQ · Jul 11, 2024 · 5f9d70c · 5f9d70c
1 parent b584e19
commit 5f9d70c
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml b/rules-threat-hunting/windows/image_load/image_load_office_word_wll_load.yml
@@ -0,0 +1,25 @@
+title: Microsoft Word Add-In Loaded
+id: 1337afba-d17d-4d23-bd55-29b927603b30
+status: experimental
+description: |
+    Detects Microsoft Word loading an Add-In (.wll) file which can be used by threat actors for initial access or persistence.
+references:
+    - https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence
+    - https://nored0x.github.io/red-teaming/office-persistence/#what-is-a-wll-file
+author: Steffen Rogge (dr0pd34d)
+date: 2024/07/10
+tags:
+    - attack.execution
+    - attack.t1204.002
+    - detection.threat_hunting
+logsource:
+    category: image_load
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\winword.exe'
+        ImageLoaded|endswith: '.wll'
+    condition: selection
+falsepositives:
+    - The rules is only looking for ".wll" loads. So some false positives are expected with legitimate and allowed WLLs.
+level: low
diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml
@@ -2,6 +2,7 @@ validators:
     - all
     - -tlptag
     - -tlpv1_tag
+    - -sigmahq_logsource_coherent
     - -sigmahq_logsource_known
     - -sigmahq_fieldname_cast
     - -sigmahq_filename_prefix