title: Malicious Documents
description: Detect high risk processes spawned from Office applications. Complementary to T1566.001 Spearphishing
  Attachment due to similar download and macro detections.
author: keyboardcrunch
date: 10/10/2020
modified: 05/12/2020
mitre:
   tactic: Execution
   technique: T1204
   subtechnique: 002
operating_system: windows
query: (SrcProcParentName In Contains ("WINWORD.EXE","EXCEL.EXE") AND SrcProcName
  In Contains Anycase ("cmd.exe","cscript.exe","wscript.exe","certutil.exe","powershell.exe","msbuild.exe","csc.exe"))
  OR IndicatorName = "SuspiciousDocument"
false_positives: 
   - Legit docs with macros.
   - McAfee DLP hits on links opened from docs.
   - Office plugins opening sites within browsers.
tags: