heroui logo

CLR DLL Loaded Via Office Applications

Sigma Rules

View Source
Summary
This detection rule is designed to identify the loading of the Common Language Runtime (CLR) Dynamic Link Library (DLL) by Microsoft Office applications. The presence of CLR DLL within these applications can signify potential malicious tradecraft, as adversaries may leverage Office products to execute unauthorized code. By monitoring for instances where Office applications such as Excel, Word, and PowerPoint load the clr.dll, security professionals can pinpoint suspicious activities that may indicate exploitation attempts or software misuse. This rule is primarily driven by the logging of image load events in the Windows operating system, making it critical for enterprises to implement robust monitoring of these applications as part of their threat detection strategies.
Categories
  • Windows
  • Endpoint
Data Sources
  • Image
Created: 2020-02-19