| 1 | title: Office Application Spawns Scripting or LOLBin Process |
| 2 | id: 67a438b8-b930-4760-ab4e-99810ad450a3 |
| 3 | status: experimental |
| 4 | description: > |
| 5 | Detects a Microsoft Office application spawning a script interpreter or living-off-the-land |
| 6 | binary, a classic phishing-to-execution pivot (macro or exploit dropping a child process). |
| 7 | references: |
| 8 | - https://attack.mitre.org/techniques/T1566/ |
| 9 | - https://attack.mitre.org/techniques/T1059/ |
| 10 | author: Zion Boggan |
| 11 | date: 2026-05-13 |
| 12 | tags: |
| 13 | - attack.initial_access |
| 14 | - attack.t1566.001 |
| 15 | - attack.execution |
| 16 | - attack.t1059.001 |
| 17 | logsource: |
| 18 | product: windows |
| 19 | category: process_creation |
| 20 | detection: |
| 21 | selection: |
| 22 | ParentImage|endswith: |
| 23 | - '\winword.exe' |
| 24 | - '\excel.exe' |
| 25 | - '\powerpnt.exe' |
| 26 | - '\outlook.exe' |
| 27 | - '\mspub.exe' |
| 28 | Image|endswith: |
| 29 | - '\cmd.exe' |
| 30 | - '\powershell.exe' |
| 31 | - '\pwsh.exe' |
| 32 | - '\wscript.exe' |
| 33 | - '\cscript.exe' |
| 34 | - '\mshta.exe' |
| 35 | - '\rundll32.exe' |
| 36 | - '\regsvr32.exe' |
| 37 | - '\bitsadmin.exe' |
| 38 | condition: selection |
| 39 | falsepositives: |
| 40 | - Some enterprise document templates legitimately call scripts; rare, baseline per environment. |
| 41 | level: high |