Identifies a suspicious image load (wmiutils.dll) from Microsoft Office processes. This behavior may indicate adversarial activity where child processes are spawned via Windows Management Instrumentation (WMI). This technique can be used to execute code and evade traditional parent/child processes spawned from MS Office products.
Rule type: eql
Risk score: 21
Runs every: 5 minutes
Maximum alerts per execution: 100
- Threat Detection
Version: 2 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.11.2
Rule authors: Elastic
Rule license: Elastic License
library where process.name in ("WINWORD.EXE", "EXCEL.EXE", "POWERPNT.EXE", "MSPUB.EXE", "MSACCESS.EXE") and event.action == "load" and event.category == "library" and file.name == "wmiutils.dll"
Framework: MITRE ATT&CKTM
- Version 2 (7.11.2 release)
- Formatting only