Date: 10/08/2024
Severity: Low
Summary
Identifies when Microsoft Excel is loading an Add-In (.xll) file.
Indicators of Compromise (IOC) List
Image : | '\excel.exe' |
ImageLoaded : | '.xll' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | (resourcename = "Sysmon" AND eventtype = "7") AND image = "\excel.exe" AND imageloaded = ".xll" |
Detection Query 2 : | technologygroup = "EDR" AND image = "\excel.exe" AND imageloaded = ".xll" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/image_load/image_load_office_excel_xll_load.yml