Techniques
Sample rules
Office Product Spawn CMD Process
- source: splunk
- technicques:
- T1566
- T1566.001
Description
The following analytic detects an Office product spawning a CMD process, which is indicative of a macro executing shell commands to download or run malicious code. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names. This activity is significant as it often signals the execution of malicious payloads, such as those seen in Trickbot spear-phishing campaigns. If confirmed malicious, this behavior could lead to unauthorized code execution, potentially compromising the system and allowing further malicious activities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name = "winword.exe" OR Processes.parent_process_name= "excel.exe" OR Processes.parent_process_name = "powerpnt.exe" OR Processes.parent_process_name= "onenote.exe" OR Processes.parent_process_name = "onenotem.exe" OR Processes.parent_process_name = "onenoteviewer.exe" OR Processes.parent_process_name = "onenoteim.exe" OR Processes.parent_process_name = "msaccess.exe" OR Processes.parent_process_name="Graph.exe" OR Processes.parent_process_name="winproj.exe") `process_cmd` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest Processes.original_file_name
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `office_product_spawn_cmd_process_filter`