---
Name: winword.exe
Description: Document editor included with Microsoft Office.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Commands:
  - Command: winword.exe /l dllfile.dll
    Description: Launch DLL payload.
    Usecase: Execute a locally stored DLL using winword.exe.
    Category: Execute
    Privileges: User
    MitreID: T1218
    MItreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows
Full_Path:
  - Path: c:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Code_Sample:
  - Code:
Detection:
  - IOC:
Resources:
  - Link: https://twitter.com/vysecurity/status/884755482707210241
  - Link: https://twitter.com/Hexacorn/status/885258886428725250
Acknowledgement:
  - Person: Vincent Yiu (cmd)
    Handle: '@@vysecurity'
  - Person: Adam (Internals)
    Handle: '@Hexacorn'
---