DetectionHunter
back to roadmap
Phase 1·T1059.001·Easy

Detecting Office Applications Spawning PowerShell

Word/Excel/Outlook spawning powershell.exe is a textbook macro-payload pattern.

#Windows#Sysmon#ATT&CK

Detection Objective

Detect Office process trees that fork into PowerShell.

Real-World Attack Scenario

A malicious .docm runs a macro that launches powershell.exe to stage an implant.

Why This Detection Matters

Initial access detections here interrupt the chain before persistence.

ATT&CK Mapping

T1059.001 · PowerShell
Tactic: Execution

Required Telemetry

  • SysmonEID 1 with ParentImage
Windows Event IDs
4688
Sysmon Event IDs
1
Wazuh Log Source
Sysmon/Operational

Setup Steps

  1. Sysmon EID 1 with ParentImage captured.

Safe Validation Command

Manually invoke powershell from Excel for a controlled test.
Excel → Developer → VBA: Shell "powershell.exe -c Write-Host detection-test"
⚠ lab use only · this project does not execute real malware

Expected Log Output

Sysmon EID 1
ParentImage: ...\WINWORD.EXE
Image: ...\powershell.exe

Detection Logic (Wazuh rule concept)

ParentImage matches /(?i)(winword|excel|powerpnt|outlook|msaccess)\.exe$/ AND Image matches /(?i)(powershell|pwsh)\.exe$/

False Positives

  • Enterprise Office add-ins (rare)

Tuning Recommendations

  • Allowlist specific signed add-in paths.

Analyst Triage Notes

  • Pull the originating document hash and sender.

Detection Improvement Ideas

  • Auto-detonate the document in a sandbox via SOAR.

log analysis layer

Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.

siem · log evidence
rule 100771
Detecting Office Applications Spawning PowerShell
Sysmon/Operational
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
CommandLine
Excel → Developer → VBA: Shell "powershell.exe -c Write-Host detection-test"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Pull the originating document hash and sender.

Parent → Child Analysis

WINWORD.EXE → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.

Command-Line Flags Observed

  • (no high-risk flags in this test)
    Signal value comes from context (parent, network, persistence) rather than flags.

Parsed Fields the Analyst Reads

  • ImageProcess binary that executed — confirms PowerShell.
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • ParentImageWho launched it — context for legitimacy.
    C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
  • CommandLineArguments — where attacker intent shows up.
    Excel → Developer → VBA: Shell "powershell.exe -c Write-Host detection-test"
  • UserAccount context — service vs interactive vs SYSTEM.
    CORP\j.doe
  • EventIDTelemetry channel and event type.
    Sysmon EID 1
  • Wazuh Rule IDRule that matched and produced this alert.
    100771
  • AgentEndpoint that produced the telemetry.
    WIN10-LAB-01
  • TimestampWhen it happened — anchor for correlation.
    2026-05-26T14:32:11Z

Malicious Pattern

pattern
Office Applications Spawning PowerShell
description
A malicious .docm runs a macro that launches powershell.exe to stage an implant.
analyst takeaway
Initial access detections here interrupt the chain before persistence. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.

proof the detection worked

test command
Excel → Developer → VBA: Shell "powershell.exe -c Write-Host detection-test"
expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100771 — "Detecting Office Applications Spawning PowerShell" fires at a level matching severity=high.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.