CVE-2012-1854

CVE-2012-1854 - Microsoft VBA Insecure Library Loading (DLL Hijacking)

Execution Persistence Privilege Escalation Last updated:

Detects exploitation of CVE-2012-1854, a DLL hijacking vulnerability in Microsoft Visual Basic for Applications (VBA). Attackers can place a malicious DLL in a directory searched before the legitimate library path, causing Office applications loading VBA to execute attacker-controlled code. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Microsoft
Product
Visual Basic for Applications (VBA)

Weakness (CWE)

CWE-426

Timeline

Disclosed
April 13, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2012-1854 CVE-2012-1854 - Microsoft VBA Insecure Library Loading (DLL Hijacking)?

CVE-2012-1854 - Microsoft VBA Insecure Library Loading (DLL Hijacking) (CVE-2012-1854) maps to the Execution and Persistence and Privilege Escalation tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2012-1854 - Microsoft VBA Insecure Library Loading (DLL Hijacking), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation
Microsoft Sentinel / Defender
kusto 
let SuspiciousDLLPaths = dynamic(['\\Users\\', '\\AppData\\', '\\Temp\\', '\\Downloads\\', '\\Desktop\\']);
DeviceImageLoadEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName has_any ('WINWORD.EXE', 'EXCEL.EXE', 'POWERPNT.EXE', 'OUTLOOK.EXE', 'MSACCESS.EXE', 'MSPUB.EXE', 'VISIO.EXE')
| where FileName has_any ('vbe7.dll', 'vba7.dll', 'vbe6.dll', 'vba6.dll', 'msvbvm60.dll', 'msvbvm50.dll')
| where FolderPath has_any (SuspiciousDLLPaths)
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessFolderPath, FileName, FolderPath, SHA256, InitiatingProcessCommandLine
| extend RiskIndicator = 'VBA DLL loaded from non-standard path'
| order by Timestamp desc

Detects Office applications loading VBA-related DLLs from non-standard paths such as user profile directories, AppData, Temp, or Downloads folders, indicative of DLL hijacking exploitation of CVE-2012-1854.

high severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceImageLoadEvents

False Positives

  • Legitimate software testing or development environments where VBA DLLs are deployed in non-standard locations
  • Software installation or update processes temporarily placing DLLs in user directories
  • Portable Office applications or sandboxed environments with non-standard directory structures
  • Antivirus or DLP tools staging files in temporary locations during scanning

Sigma rule & cross-platform mapping

The detection logic for CVE-2012-1854 - Microsoft VBA Insecure Library Loading (DLL Hijacking) (CVE-2012-1854) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2012-1854 Sigma rules on detection.fyi

Platform-specific guides for CVE-2012-1854

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBA DLL Hijack - Place Malicious DLL in Temp Directory

    Expected signal: Sysmon Event ID 7 showing WINWORD.EXE loading vbe7.dll from %TEMP% path; DeviceImageLoadEvents in MDE showing FolderPath containing \Temp\

  2. Test 2VBA DLL Hijack - Place Malicious DLL in Downloads Directory

    Expected signal: Sysmon ImageLoad event with ImageLoaded path in \Downloads\; Windows Security log showing file creation event in Downloads directory followed by Office process DLL load

  3. Test 3VBA DLL Hijack - Simulate Document-Triggered DLL Load via PowerShell

    Expected signal: Sysmon Event ID 7 with POWERPNT.EXE as initiating process and vba7.dll loaded from TEMP\vba_hijack_test path; process creation event showing PowerShell as parent of POWERPNT

Unlock Pro Content

Get the full detection package for CVE-2012-1854 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1574.001DLLT1574.002DLL Side-LoadingT1059.005Visual Basic

Same Tactic: Execution

Popular Detections