Office process spawned with suspicious command-line arguments

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Process Injection: Process Hollowing (T1055.012)

Severity

Low

Description

An Office process was executed with LOLBIN-like command-line arguments. This behavior is exhibited in the VBA-RunPE tool that executes executables from the memory of Word/Excel/PowerPoint.

Attacker's Goals

Execute arbitrary code or run malicious applications undetected.

Investigative actions

Check the file that spawns the office application, and search for macros, formulas, or scripts.

Variations

Masqueraded office process spawned with suspicious command-line arguments

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Severity

Medium

Description

An executable masquerading an office process was executed with LOLBIN-like command-line arguments.

Attacker's Goals

Execute arbitrary code or run malicious applications undetected.

Investigative actions

Check the file that spawns the office application, and search for macros, formulas, or scripts.


PowerPoint process accesses a suspicious PPAM file

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Process Injection: Process Hollowing (T1055.012)

Severity

Low

Description

A PowerPoint process opened a PPAM file which might be used to execute a malicious code.

Attacker's Goals

Execute arbitrary code or run malicious applications undetected.

Investigative actions

Check the file that spawns the office application, and search for macros, formulas, or scripts.