Suspicious MS Office Child Process
This rule detects suspicious child processes spawned by Microsoft Office applications, indicating potential exploitation or malicious macros used for initial access, command execution, defense evasion, and discovery activities.
This detection identifies suspicious child processes of frequently targeted Microsoft Office applications such as Word, PowerPoint, and Excel. These child processes are often launched during the exploitation of Office applications or from documents containing malicious macros. The rule focuses on detecting processes like powershell.exe, cmd.exe, mshta.exe, and others that are not typically legitimate child processes of Office applications. This activity is often associated with initial access via phishing and subsequent command execution for defense evasion or discovery. The rule is designed to identify potential compromises stemming from malicious Office documents targeting Windows systems.
Attack Chain
- A user receives a phishing email with a malicious Office document (e.g., Word, Excel) attached.
- The user opens the malicious document, which contains a malicious macro or exploits a vulnerability (e.g., CVE-2023-36028).
- Upon opening, the document executes the embedded malicious macro or exploit.
- The macro or exploit spawns a suspicious child process such as
powershell.exeorcmd.exe. - The spawned process executes commands to download and execute a payload from a remote server.
- The payload establishes persistence via registry modifications or scheduled tasks.
- The attacker performs discovery actions using tools like
whoami.exe,ipconfig.exe, ornet.exeto gather system information. - The attacker moves laterally within the network to compromise additional systems and achieve their objectives, such as data exfiltration or ransomware deployment.
Impact
A successful attack leveraging malicious Office documents can lead to initial access, allowing attackers to execute arbitrary code, establish persistence, and move laterally within the network. This can result in data theft, system compromise, and potentially ransomware deployment. The rule aims to detect these initial stages of compromise to prevent further damage.
Recommendation
- Deploy the Sigma rule "Suspicious MS Office Child Process - CommandLine" to your SIEM and tune for your environment to detect suspicious command-line arguments used by child processes spawned from MS Office applications.
- Enable Sysmon process creation logging (Event ID 1) to improve the fidelity of process creation events and activate the Sigma rules above.
- Review and harden macro execution policies within your organization to prevent the execution of malicious macros in Office documents.
- Monitor process creations with parent processes being MS Office applications and child processes executing system binaries or command interpreters such as
cmd.exe,powershell.exe, andwscript.exe.
Detection coverage 2
Suspicious MS Office Child Process - CommandLine
mediumDetects suspicious child processes of MS Office applications based on command-line arguments
Suspicious MS Office Child Process - System Binary
mediumDetects suspicious system binaries being launched from MS Office applications
Detection queries are available on the platform. Get full rules →