title: Microsoft Office Product Spawning Windows Shell
author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team
date: 2018/04/06
description: Detects a Windows command and scripting interpreter executable started
  from Microsoft Word, Excel, Powerpoint, Publisher and Visio
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    ParentImage:
    - '*\WINWORD.EXE'
    - '*\EXCEL.EXE'
    - '*\POWERPNT.exe'
    - '*\MSPUB.exe'
    - '*\VISIO.exe'
    - '*\OUTLOOK.EXE'
    - '*\MSACCESS.EXE'
    - '*\EQNEDT32.EXE'
  SELECTION_3:
    Image:
    - '*\cmd.exe'
    - '*\powershell.exe'
    - '*\wscript.exe'
    - '*\cscript.exe'
    - '*\sh.exe'
    - '*\bash.exe'
    - '*\scrcons.exe'
    - '*\schtasks.exe'
    - '*\regsvr32.exe'
    - '*\hh.exe'
    - '*\wmic.exe'
    - '*\mshta.exe'
    - '*\rundll32.exe'
    - '*\msiexec.exe'
    - '*\forfiles.exe'
    - '*\scriptrunner.exe'
    - '*\mftrace.exe'
    - '*\AppVLP.exe'
    - '*\svchost.exe'
    - '*\msbuild.exe'
  condition: (SELECTION_1 and SELECTION_2 and SELECTION_3)
falsepositives:
- unknown
fields:
- CommandLine
- ParentCommandLine
id: 438025f9-5856-4663-83f7-52f878a70a50
level: high
logsource:
  category: process_creation
  product: windows
modified: 2020/09/01
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
status: experimental
tags:
- attack.execution
- attack.t1204
- attack.t1204.002