CVE-2012-1854 Splunk · SPL

Detect CVE-2012-1854 - Microsoft VBA Insecure Library Loading (DLL Hijacking) in Splunk

Detects exploitation of CVE-2012-1854, a DLL hijacking vulnerability in Microsoft Visual Basic for Applications (VBA). Attackers can place a malicious DLL in a directory searched before the legitimate library path, causing Office applications loading VBA to execute attacker-controlled code. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic
Execution Persistence Privilege Escalation

SPL Detection Query

Splunk (SPL)
spl 
index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=7
| where (Image="*\\WINWORD.EXE" OR Image="*\\EXCEL.EXE" OR Image="*\\POWERPNT.EXE" OR Image="*\\OUTLOOK.EXE" OR Image="*\\MSACCESS.EXE" OR Image="*\\MSPUB.EXE" OR Image="*\\VISIO.EXE")
| where (ImageLoaded="*\\vbe7.dll" OR ImageLoaded="*\\vba7.dll" OR ImageLoaded="*\\vbe6.dll" OR ImageLoaded="*\\vba6.dll" OR ImageLoaded="*\\msvbvm60.dll" OR ImageLoaded="*\\msvbvm50.dll")
| where (ImageLoaded="*\\Users\\*" OR ImageLoaded="*\\AppData\\*" OR ImageLoaded="*\\Temp\\*" OR ImageLoaded="*\\Downloads\\*" OR ImageLoaded="*\\Desktop\\*")
| eval risk="VBA DLL loaded from suspicious path"
| table _time, Computer, User, Image, ImageLoaded, Hashes, risk
| sort -_time
high severity high confidence

Detects Sysmon DLL image load events (EventCode 7) where Office applications load VBA DLLs from user-writable or temporary paths, signaling potential DLL hijacking via CVE-2012-1854.

Data Sources

Windows SysmonSplunk Enterprise Security

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Software packaging tools that stage Office components in non-standard paths
  • Roaming profile configurations where DLLs may load from UNC paths resolving to user directories
  • Legitimate Office add-in installations with non-standard library paths
  • Virtual environments where Office binaries run from redirected paths

Other platforms for CVE-2012-1854

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1VBA DLL Hijack - Place Malicious DLL in Temp Directory

    Expected signal: Sysmon Event ID 7 showing WINWORD.EXE loading vbe7.dll from %TEMP% path; DeviceImageLoadEvents in MDE showing FolderPath containing \Temp\

  2. Test 2VBA DLL Hijack - Place Malicious DLL in Downloads Directory

    Expected signal: Sysmon ImageLoad event with ImageLoaded path in \Downloads\; Windows Security log showing file creation event in Downloads directory followed by Office process DLL load

  3. Test 3VBA DLL Hijack - Simulate Document-Triggered DLL Load via PowerShell

    Expected signal: Sysmon Event ID 7 with POWERPNT.EXE as initiating process and vba7.dll loaded from TEMP\vba_hijack_test path; process creation event showing PowerShell as parent of POWERPNT

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2012-1854 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0003PersistenceTA0004Privilege Escalation

Related Techniques

T1574.001DLLT1574.002DLL Side-LoadingT1059.005Visual Basic

Same Tactic: Execution

Popular Detections