Original Work:
Loading of VBE/VBA DLLs, even though document is not a macro
Image loaded:
RuleName: Image Load-Include
UtcTime: 2022-04-17 14:06:36.035
ProcessGuid: {26d732db-1eeb-625c-f001-000000007400}
ProcessId: 7224
Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
ImageLoaded: C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL
FileVersion: 7.01.1091
Description: Visual Basic Environment International Resources
Product: Visual Basic Environment
Company: Microsoft Corporation
OriginalFileName: -
Hashes: MD5=CDA3EA478C604783B76964E88FD7030D
Signed: true
Signature: Microsoft Corporation
SignatureStatus: Valid
User: LARES\Administrator
Loading of CLR
Image loaded:
RuleName: -
UtcTime: 2022-04-17 14:06:36.082
ProcessGuid: {26d732db-1eeb-625c-f001-000000007400}
ProcessId: 7224
Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
ImageLoaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
FileVersion: 4.8.4470.0 built by: NET48REL1LAST_C
Description: Microsoft .NET Runtime Common Language Runtime - WorkStation
Product: Microsoft® .NET Framework
Company: Microsoft Corporation
OriginalFileName: clr.dll
Hashes: MD5=3C242B76E36DAB6C0B1E300AE7BC3D2E
Signed: true
Signature: Microsoft Corporation
SignatureStatus: Valid
User: LARES\Administrator
Loading of Microsoft.Office.Tools.ni.dll - this is one of the DLLs that gets downloaded
Image loaded:
RuleName: -
UtcTime: 2022-04-17 14:06:36.207
ProcessGuid: {26d732db-1eeb-625c-f001-000000007400}
ProcessId: 7224
Image: C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
ImageLoaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O5949707a#\9488eaffce7b80b43c74164f10974bf2\Microsoft.Office.Tools.ni.dll
FileVersion: 10.0.60828.0
Description: Microsoft.Office.Tools.dll
Product: Microsoft (R) Visual Studio (R) 2010
Company: Microsoft Corporation
OriginalFileName: Microsoft.Office.Tools.dll
Hashes: MD5=DC96A989F72E15002DC96DB7A0286BDA
Signed: false
Signature: -
SignatureStatus: Unavailable
User: LARES\Administrator
Other potentially interesting DLLs/Images Loaded:
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\VBE7INTL.DLL
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll
C:\Windows\System32\wbem\wbemprox.dll
C:\Windows\System32\wbem\wbemsvc.dll
C:\Windows\System32\wbemcomn.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\350cc142cbf24bf0c58b8a15a4a7576c\Accessibility.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O2eb0cc9a#\2f1bcc300f118525a68e7bc0b75fa36b\Microsoft.Office.Tools.v4.0.Framework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O4a946565#\783e0007ed9243399dc317981d74bdb8\Microsoft.Office.Tools.Common.Implementation.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O5949707a#\9488eaffce7b80b43c74164f10974bf2\Microsoft.Office.Tools.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.O854200f9#\cb740b751dba9b84b69c1c632dfbb00e\Microsoft.Office.Tools.Common.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Oab3f8ec6#\1b15b7d9214b992dbf40dc1e0480aff0\Microsoft.Office.Tools.Word.Implementation.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Oeab01fba#\8c5505c1dba74a57fb87edacc141bcfe\Microsoft.Office.Tools.Word.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V1955d7fd#\af1b73e85f62700723d027eb23a07f9f\Microsoft.VisualStudio.Tools.Applications.ServerDocument.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V28a60cc2#\145fe9f32778b075efeca52fa504b7ae\Microsoft.VisualStudio.Tools.Office.Runtime.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V883708cb#\eb6b6fb0f21915830b28c9e0f1d434eb\Microsoft.VisualStudio.Tools.Applications.Runtime.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf9a08577#\6ad9a85d12bc9d7fb10254634e375474\Microsoft.VisualStudio.Tools.Applications.Hosting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\4046283e0547cf962895addfab543a71\PresentationFramework.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\297cb0e6fe49a124df05271c2ae25f4d\PresentationCore.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\168562c979bde30e369325e74ca2d255\System.Configuration.Install.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\b975269524a5b5c4024312664f699596\System.Configuration.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\e950876872d82f53f34ddb39c91b2d04\System.Core.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\d9075d43740193513df92ce40e7eb314\System.Data.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\c4585423a73adaee454e8b5a2bbc5034\System.DirectoryServices.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\7b4834f232ee0b2acdbb224f8126d451\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\92568befc418011446e548ce95a1dfa3\System.Numerics.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runt73a1fc9d#\1a753fc53faf9402dcf22bc88ff9dfa4\System.Runtime.Remoting.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runteb92aa12#\c2bd3e51726bac781e7bc8fd7111bd16\System.Runtime.Serialization.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\0451c9c979cd106d4d2616937abc7aca\System.ServiceProcess.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\dfb4bad9d5eed5a79b21677bff43283f\System.Transactions.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Services\080998bec79b73d6a70ba1f3700719d6\System.Web.Services.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web\5de36576d8e9f22de79c12c86bb1b178\System.Web.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\21880015ae86d10263ebb0b6b0b96141\System.Windows.Forms.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml\662111c906d9fbe00e8ebfd692ad1734\System.Xaml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml.Linq\2775ea251939b1fe4b8115ce54b9a097\System.Xml.Linq.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\4b4c18876d4db2b65562def74ec6630f\System.Xml.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\System\6aaf038fc5a894ddf3cbce94407fb772\System.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\f244ed885f26c41420cef02a61dae140\WindowsBase.ni.dll
C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\c5986fd5d6139abd4222b5cb6a32cadf\mscorlib.ni.dll
Applicable Sigma Rules:
C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d9437 - InternalCreateProcessWCommand
C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d848f - ExternalCreateProcessWCommand
C:\Windows\SYSTEM32\windows.storage.dll+1a166d - CallCreateProcess
C:\Windows\SYSTEM32\windows.storage.dll+19a733 - InvokeCreateProcessVerbLaunch
C:\Windows\SYSTEM32\windows.storage.dll+19a61d - InvokeCreateProcessVerbExecute
C:\Windows\System32\SHELL32.dll+5e3d9 - DoExecute
C:\Windows\System32\SHELL32.dll+610be - ShellExecuteW
Sample Sysmon Config Snippets:
<Rule groupRelation="and">
<SourceImage condition="contains">Microsoft Office</SourceImage>
<CallTrace condition="contains" name="function_name=InternalCreateProcessWCommand">C:\Program Files\Microsoft Office\root\Office16\AppVIsvSubsystems64.dll+d9437</CallTrace>
</Rule>
<Rule groupRelation="and">
<SourceImage condition="contains">Microsoft Office</SourceImage>
<CallTrace condition="contains" name="function_name=CallCreateProcess">C:\Windows\SYSTEM32\windows.storage.dll+1a166d</CallTrace>
</Rule>
Sample Event:
Process accessed:
RuleName: function_name=InternalCreateProcessWCommand
UtcTime: 2022-04-17 15:23:32.082
SourceProcessGUID: {26d732db-30f3-625c-3803-000000007400}
SourceProcessId: 8104
SourceThreadId: 11180
SourceImage: C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
TargetProcessGUID: {26d732db-30f4-625c-3b03-000000007400}
TargetProcessId: 4852
TargetImage: C:\Windows\system32\notepad.exe
GrantedAccess: 0x1FFFFF
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9e664|C:\Windows\System32\KERNELBASE.dll+8e73|C:\Windows\System32\KERNELBASE.dll+71a6|C:\Windows\System32\KERNEL32.DLL+1cbb4|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d9437|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d848f|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d8ef8|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d192e|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+d24c7|C:\Windows\SYSTEM32\windows.storage.dll+1a166d|C:\Windows\SYSTEM32\windows.storage.dll+136c92|C:\Windows\SYSTEM32\windows.storage.dll+19a90c|C:\Windows\SYSTEM32\windows.storage.dll+19a733|C:\Windows\SYSTEM32\windows.storage.dll+19a61d|C:\Windows\SYSTEM32\windows.storage.dll+1d9724|C:\Windows\SYSTEM32\windows.storage.dll+c1fc7|C:\Windows\SYSTEM32\windows.storage.dll+135cf7|C:\Windows\System32\SHELL32.dll+4dfa1|C:\Windows\System32\SHELL32.dll+5e3d9|C:\Windows\System32\SHELL32.dll+60d00|C:\Windows\System32\SHELL32.dll+6187b|C:\Windows\System32\SHELL32.dll+610be|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\6aaf038fc5a894ddf3cbce94407fb772\System.ni.dll+38b1ac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\6aaf038fc5a894ddf3cbce94407fb772\System.ni.dll+2d41f2
SourceUser: LARES\Administrator
TargetUser: LARES\Administrator
Log File created in: C:\Users\administrator\AppData\Local\Microsoft\Windows\INetCache\IE\3YO3RLUX
(directories will vary)
Log File contents
This looks like a great forensic artifact, it contains
- Windows + DLL Versions
- Source where the add on files were downloaded from (!!)
- Name of assembly loaded
PLATFORM VERSION INFO
Windows : 10.0.19044.0 (Win32NT)
Common Language Runtime : 4.0.30319.42000
System.Deployment.dll : 4.8.4270.0 built by: NET48REL1LAST_C
clr.dll : 4.8.4470.0 built by: NET48REL1LAST_C
dfdll.dll : 4.8.4270.0 built by: NET48REL1LAST_C
dfshim.dll : 10.0.19041.1 (WinBuild.160101.0800)
SOURCES
Deployment url : http://192.168.1.158:9999/VSTOTest.vsto
Application url : http://192.168.1.158:9999/Application%20Files/VSTOTest_1_0_0_4/VSTOTest.dll.manifest
IDENTITIES
Deployment Identity : VSTOTest.vsto, Version=1.0.0.4, Culture=neutral, PublicKeyToken=8b52e2ca6fb271a7, processorArchitecture=msil
Application Identity : VSTOTest.dll, Version=1.0.0.4, Culture=neutral, PublicKeyToken=8b52e2ca6fb271a7, processorArchitecture=msil, type=win32
APPLICATION SUMMARY
* Online only application.
ERROR SUMMARY
No errors were detected during this operation.
COMPONENT STORE TRANSACTION FAILURE SUMMARY
No transaction error was detected.
WARNINGS
There were no warnings during this operation.
OPERATION PROGRESS STATUS
No phase information is available.
ERROR DETAILS
No errors were detected during this operation.
COMPONENT STORE TRANSACTION DETAILS
No transaction information is available.
Sysmon Snippet:
Warning: This might also trigger on Office Updates (Needs more testing)
<Rule groupRelation="and" name="">
<Image condition="contains">root\Office16\</Image>
<TargetFilename condition="contains">\AppData\Local\Temp\Deployment\</TargetFilename>
</Rule>
Files written with this rule:
Note: VSTOTest
is the name of the project
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\Microsoft.Office.Tools.Common.v4.0.Utilities.dll
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\Microsoft.Office.Tools.Common.v4.0.Utilities.dll.genman
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\Microsoft.Office.Tools.Word.v4.0.Utilities.dll
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\Microsoft.Office.Tools.Word.v4.0.Utilities.dll.genman
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\VSTOTest.dll
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\VSTOTest.dll.genman
C:\Users\administrator\AppData\Local\Temp\Deployment\12GBDE1Z.P2A\C986X1Q6.AE4\VSTOTest.dll.manifest
C:\Users\administrator\AppData\Local\Temp\Deployment\C2DH4D67.KJJ
C:\Users\administrator\AppData\Local\Temp\Deployment\C2DH4D67.KJJ\QDACZWRV.8JJ.application