detection.wiki

Detection rules › Elastic

Suspicious MS Office Child Process

Status
production
Severity
medium
Time window
9m
Author
Elastic
Source
github.com/elastic/detection-rules

Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel). These child processes are often launched during exploitation of Office applications or from documents with malicious macros.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1566.001 Phishing: Spearphishing Attachment
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1203 Exploitation for Client Execution
StealthT1218.001 System Binary Proxy Execution: Compiled HTML File, T1218.002 System Binary Proxy Execution: Control Panel, T1218.003 System Binary Proxy Execution: CMSTP, T1218.004 System Binary Proxy Execution: InstallUtil, T1218.005 System Binary Proxy Execution: Mshta, T1218.008 System Binary Proxy Execution: Odbcconf, T1218.009 System Binary Proxy Execution: Regsvcs/Regasm, T1218.010 System Binary Proxy Execution: Regsvr32, T1218.011 System Binary Proxy Execution: Rundll32
DiscoveryT1016 System Network Configuration Discovery, T1033 System Owner/User Discovery, T1049 System Network Connections Discovery, T1057 Process Discovery, T1082 System Information Discovery

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation
Security-AuditingEvent ID 4688A new process has been created.

Rule body elastic

[metadata]
creation_date = "2020/02/18"
integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
maturity = "production"
updated_date = "2026/05/04"

[rule]
author = ["Elastic"]
description = """
Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, Excel).
These child processes are often launched during exploitation of Office applications or from documents with malicious
macros.
"""
from = "now-9m"
index = [
    "endgame-*",
    "logs-crowdstrike.fdr*",
    "logs-endpoint.events.process-*",
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
    "logs-system.security*",
    "logs-windows.forwarded*",
    "logs-windows.sysmon_operational-*",
    "winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Suspicious MS Office Child Process"
note = """## Triage and analysis

### Investigating Suspicious MS Office Child Process

Microsoft Office (MS Office) is a suite of applications designed to help with productivity and completing common tasks on a computer. You can create and edit documents containing text and images, work with data in spreadsheets and databases, and create presentations and posters. As it is some of the most-used software across companies, MS Office is frequently targeted for initial access. It also has a wide variety of capabilities that attackers can take advantage of.

This rule looks for suspicious processes spawned by MS Office programs. This is generally the result of the execution of malicious documents.

#### Possible investigation steps

- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
- Investigate other alerts associated with the user/host during the past 48 hours.
- Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, but are not limited to, the Downloads and Document folders and the folder configured at the email client.
- Determine if the collected files are malicious:
  - Use a private sandboxed malware analysis system to perform analysis.
    - Observe and collect information about the following activities:
      - Attempts to contact external domains and addresses.
      - File and registry access, modification, and creation activities.
      - Service creation and launch activities.
      - Scheduled task creation.
  - Use the PowerShell Get-FileHash cmdlet to get the files' SHA-256 hash values.
    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.

### False positive analysis

- This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.

### Response and remediation

- Initiate the incident response process based on the outcome of the triage.
- Isolate the involved host to prevent further post-compromise behavior.
- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
- If the triage identified malware, search the environment for additional compromised hosts.
  - Implement temporary network rules, procedures, and segmentation to contain the malware.
  - Stop suspicious processes.
  - Immediately block the identified indicators of compromise (IoCs).
  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
- Remove and block malicious artifacts identified during triage.
- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
  - If the malicious file was delivered via phishing:
    - Block the email sender from sending future emails.
    - Block the malicious web pages.
    - Remove emails from the sender from mailboxes.
    - Consider improvements to the security awareness program.
- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
"""

setup = """## Setup

This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.

Setup instructions: https://ela.st/install-elastic-defend

### Additional data sources

This rule also supports the following third-party data sources. For setup instructions, refer to the links below:

- [CrowdStrike](https://ela.st/crowdstrike-integration)
- [Microsoft Defender XDR](https://ela.st/m365-defender)
- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
"""

references = ["https://www.elastic.co/blog/vulnerability-summary-follina"]
risk_score = 47
rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Initial Access",
    "Tactic: Defense Evasion",
    "Tactic: Execution",
    "Resources: Investigation Guide",
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: Windows Security Event Logs",
    "Data Source: Microsoft Defender XDR",
    "Data Source: Sysmon",
    "Data Source: SentinelOne",
    "Data Source: Crowdstrike",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : (
      "eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe",
      "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe"
  ) and
  process.name : (
      "Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe",
      "certutil.exe", "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe",
      "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe",
      "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe",
      "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe",
      "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe",
      "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe",
      "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe"
  ) and
  not (
    process.parent.name : "outlook.exe" and
    process.name : "rundll32.exe" and
    process.args : "shell32.dll,Control_RunDLL" and
    process.args : "srchadmin.dll"
  )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"

[[rule.threat.technique.subtechnique]]
id = "T1566.001"
name = "Spearphishing Attachment"
reference = "https://attack.mitre.org/techniques/T1566/001/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"

[[rule.threat.technique.subtechnique]]
id = "T1059.003"
name = "Windows Command Shell"
reference = "https://attack.mitre.org/techniques/T1059/003/"

[[rule.threat.technique]]
id = "T1203"
name = "Exploitation for Client Execution"
reference = "https://attack.mitre.org/techniques/T1203/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"

[[rule.threat.technique.subtechnique]]
id = "T1218.001"
name = "Compiled HTML File"
reference = "https://attack.mitre.org/techniques/T1218/001/"

[[rule.threat.technique.subtechnique]]
id = "T1218.002"
name = "Control Panel"
reference = "https://attack.mitre.org/techniques/T1218/002/"

[[rule.threat.technique.subtechnique]]
id = "T1218.003"
name = "CMSTP"
reference = "https://attack.mitre.org/techniques/T1218/003/"

[[rule.threat.technique.subtechnique]]
id = "T1218.004"
name = "InstallUtil"
reference = "https://attack.mitre.org/techniques/T1218/004/"

[[rule.threat.technique.subtechnique]]
id = "T1218.005"
name = "Mshta"
reference = "https://attack.mitre.org/techniques/T1218/005/"

[[rule.threat.technique.subtechnique]]
id = "T1218.008"
name = "Odbcconf"
reference = "https://attack.mitre.org/techniques/T1218/008/"

[[rule.threat.technique.subtechnique]]
id = "T1218.009"
name = "Regsvcs/Regasm"
reference = "https://attack.mitre.org/techniques/T1218/009/"

[[rule.threat.technique.subtechnique]]
id = "T1218.010"
name = "Regsvr32"
reference = "https://attack.mitre.org/techniques/T1218/010/"

[[rule.threat.technique.subtechnique]]
id = "T1218.011"
name = "Rundll32"
reference = "https://attack.mitre.org/techniques/T1218/011/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1016"
name = "System Network Configuration Discovery"
reference = "https://attack.mitre.org/techniques/T1016/"

[[rule.threat.technique]]
id = "T1033"
name = "System Owner/User Discovery"
reference = "https://attack.mitre.org/techniques/T1033/"

[[rule.threat.technique]]
id = "T1049"
name = "System Network Connections Discovery"
reference = "https://attack.mitre.org/techniques/T1049/"

[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
reference = "https://attack.mitre.org/techniques/T1057/"

[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"

[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"

Stages and Predicates

Stage 1: process

process where host.os.type == "windows" and event.type == "start" and
  process.parent.name : (
      "eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe",
      "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe"
  ) and
  process.name : (
      "Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe",
      "certutil.exe", "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe",
      "dsquery.exe", "forfiles.exe", "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe",
      "installutil.exe", "ipconfig.exe", "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe",
      "netstat.exe", "nltest.exe", "odbcconf.exe", "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe",
      "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe",
      "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe",
      "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe"
  ) and
  not (
    process.parent.name : "outlook.exe" and
    process.name : "rundll32.exe" and
    process.args : "shell32.dll,Control_RunDLL" and
    process.args : "srchadmin.dll"
  )

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

FieldKindExcluded values
process.argseqshell32.dll,Control_RunDLL
process.argseqsrchadmin.dll
process.nameeqrundll32.exe
process.parent.nameeqoutlook.exe

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
event.typeeq
  • start corpus 606 (elastic 606)
process.namewildcard
  • Microsoft.Workflow.Compiler.exe corpus 8 (elastic 7, splunk 1)
  • arp.exe corpus 8 (elastic 7, splunk 1)
  • atbroker.exe corpus 5 (elastic 5)
  • bginfo.exe corpus 6 (elastic 6)
  • bitsadmin.exe corpus 14 (elastic 12, splunk 2)
  • cdb.exe corpus 7 (elastic 7)
  • certutil.exe corpus 22 (elastic 16, splunk 6)
  • cmd.exe corpus 77 (elastic 48, splunk 29)
  • cmstp.exe corpus 10 (elastic 10)
  • control.exe corpus 8 (elastic 6, splunk 2)
  • cscript.exe corpus 25 (elastic 23, splunk 2)
  • csi.exe corpus 6 (elastic 6)
  • dnx.exe corpus 6 (elastic 6)
  • dsget.exe corpus 7 (elastic 7)
  • dsquery.exe corpus 12 (elastic 8, splunk 4)
  • explorer.exe corpus 9 (elastic 7, splunk 2)
  • forfiles.exe corpus 7 (elastic 6, splunk 1)
  • fsi.exe corpus 6 (elastic 6)
  • ftp.exe corpus 5 (elastic 5)
  • gpresult.exe corpus 7 (elastic 7)
  • hh.exe corpus 5 (splunk 3, elastic 2)
  • hostname.exe corpus 7 (elastic 7)
  • ieexec.exe corpus 8 (elastic 8)
  • iexpress.exe corpus 8 (elastic 8)
  • installutil.exe corpus 18 (elastic 13, splunk 5)
  • ipconfig.exe corpus 8 (elastic 7, splunk 1)
  • msdt.exe corpus 8 (elastic 6, splunk 2)
  • mshta.exe corpus 31 (elastic 26, splunk 5)
  • msxsl.exe corpus 9 (elastic 8, splunk 1)
  • nbtstat.exe corpus 8 (elastic 8)
  • net.exe corpus 22 (elastic 20, splunk 2)
  • net1.exe corpus 35 (splunk 19, elastic 16)
  • netsh.exe corpus 18 (elastic 11, splunk 7)
  • netstat.exe corpus 8 (elastic 7, splunk 1)
  • nltest.exe corpus 10 (elastic 8, splunk 2)
  • odbcconf.exe corpus 10 (elastic 7, splunk 3)
  • ping.exe corpus 9 (elastic 7, splunk 2)
  • powershell.exe corpus 104 (elastic 60, splunk 44)
  • pwsh.exe corpus 62 (elastic 33, splunk 29)
  • qprocess.exe corpus 7 (elastic 7)
  • quser.exe corpus 8 (elastic 7, splunk 1)
  • qwinsta.exe corpus 8 (elastic 7, splunk 1)
  • rcsi.exe corpus 6 (elastic 6)
  • reg.exe corpus 20 (elastic 11, splunk 9)
  • regasm.exe corpus 11 (elastic 9, splunk 2)
  • regsvcs.exe corpus 10 (elastic 8, splunk 2)
  • regsvr32.exe corpus 25 (elastic 19, splunk 6)
  • rundll32.exe corpus 60 (elastic 34, splunk 26)
  • sc.exe corpus 29 (splunk 15, elastic 14)
  • schtasks.exe corpus 21 (splunk 11, elastic 10)
  • systeminfo.exe corpus 7 (elastic 7)
  • tasklist.exe corpus 9 (elastic 9)
  • tracert.exe corpus 6 (elastic 6)
  • whoami.exe corpus 11 (elastic 9, splunk 2)
  • wmic.exe corpus 47 (splunk 27, elastic 20)
  • wscript.exe corpus 29 (elastic 28, splunk 1)
  • xwizard.exe corpus 9 (elastic 9)
process.parent.namewildcard
  • eqnedt32.exe corpus 3 (elastic 3)
  • excel.exe corpus 8 (elastic 8)
  • fltldr.exe corpus 3 (elastic 3)
  • msaccess.exe corpus 4 (elastic 4)
  • mspub.exe corpus 5 (elastic 5)
  • outlook.exe corpus 7 (elastic 7)
  • powerpnt.exe corpus 7 (elastic 7)
  • winword.exe corpus 8 (elastic 8)