Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
A Microsoft Office process spawned a commonly abused process with a full command (not a script), this is a typically malicious behavior.
Attacker's Goals
An attacker is trying to gain code execution on the host.
Investigative actions
Check whether the command line executed is benign or normal for the host and/or user performing it. For example, employees working in finance may have legitimate use cases for complex Excel commands.