Office process spawned with suspicious command-line arguments

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Process Injection: Process Hollowing (T1055.012)

Severity

Medium

Description

An Office process was run with LOLBIN-like command-line arguments. This behavior is exhibited in the VBA-RunPE tool that runs executables from the memory of Word/Excel/PowerPoint.

Attacker's Goals

Execute arbitrary code or run malicious applications undetected.

Investigative actions

Check the file that spawns the office application, and search for macros, formulas, or scripts.

Variations

PowerPoint process accesses a suspicious PPAM file

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Process Injection: Process Hollowing (T1055.012)

Severity

Medium

Description

A PowerPoint process opened a PPAM file which might be used to execute a malicious code.

Attacker's Goals

Execute arbitrary code or run malicious applications undetected.

Investigative actions

Check the file that spawns the office application, and search for macros, formulas, or scripts.