Suspicious Microsoft Office Child Process
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects a suspicious process spawning from one of the Microsoft Office suite products (Word, Excel, PowerPoint, Publisher, Visio, etc.)
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Process started" AND PARENTPROCESSNAME endswith "\EQNEDT32.EXE,\EXCEL.EXE,\MSACCESS.EXE,\MSPUB.exe,\ONENOTE.EXE,\POWERPNT.exe,\VISIO.exe,\WINWORD.EXE,\wordpad.exe,\wordview.exe" AND (((ORIGINALFILENAME = "bitsadmin.exe,CertOC.exe,CertUtil.exe,Cmd.Exe,CMSTP.EXE,cscript.exe,curl.exe,HH.exe,IEExec.exe,InstallUtil.exe,javaw.exe,Microsoft.Workflow.Compiler.exe,msdt.exe,MSHTA.EXE" OR ORIGINALFILENAME = "msiexec.exe,Msxsl.exe,odbcconf.exe,pcalua.exe,PowerShell.EXE,RegAsm.exe,RegSvcs.exe,REGSVR32.exe,RUNDLL32.exe,schtasks.exe,ScriptRunner.exe,wmic.exe,WorkFolders.exe,wscript.exe") OR (PROCESSNAME endswith "\AppVLP.exe,\bash.exe,\bitsadmin.exe,\certoc.exe,\certutil.exe,\cmd.exe,\cmstp.exe,\control.exe,\cscript.exe,\curl.exe,\forfiles.exe,\hh.exe,\ieexec.exe,\installutil.exe,\javaw.exe,\mftrace.exe,\Microsoft.Workflow.Compiler.exe,\msbuild.exe,\msdt.exe,\mshta.exe" OR PROCESSNAME endswith "\msidb.exe,\msiexec.exe,\msxsl.exe,\odbcconf.exe,\pcalua.exe,\powershell.exe,\pwsh.exe,\regasm.exe,\regsvcs.exe,\regsvr32.exe,\rundll32.exe,\schtasks.exe,\scrcons.exe,\scriptrunner.exe,\sh.exe,\svchost.exe,\verclsid.exe,\wmic.exe,\workfolders.exe,\wscript.exe")) OR PROCESSNAME contains "\AppData\,\Users\Public\,\ProgramData\,\Windows\Tasks\,\Windows\Temp\,\Windows\System32\Tasks") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
Author
Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io
