Macro
Description
Automatically categorized datasets in directory macro
MITRE ATT&CK Techniques
| ID | Technique | Tactic |
|---|---|---|
| T1566.001 | Spearphishing Attachment | Initial Access |
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | macro |
| Test Date | 2025-08-12 |
Datasets
The following datasets were collected during this attack simulation:
Windows-Sysmon_mshtml
- Path:
/datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon_cabinf
- Path:
/datasets/attack_techniques/T1566.001/macro/windows-sysmon_cabinf.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon_control
- Path:
/datasets/attack_techniques/T1566.001/macro/windows-sysmon_control.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon_icedid
- Path:
/datasets/attack_techniques/T1566.001/macro/windows-sysmon_icedid.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon_macros
- Path:
/datasets/attack_techniques/T1566.001/macro/windows-sysmon_macros.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon
- Path:
/datasets/attack_techniques/T1566.001/macro/windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows-Sysmon_wsh
- Path:
/datasets/attack_techniques/T1566.001/macro/windows-sysmon_wsh.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Msdt-Windows-Security
- Path:
/datasets/attack_techniques/T1566.001/macro/msdt-windows-security.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Security
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| Windows Office Product Spawned Rundll32 With No DLL | TTP |
Endpoint | T1566.001 | Spearphishing Attachments, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, Compromised Windows Host, Prestige Ransomware, Graceful Wipe Out Attack, Crypto Stealer |
| Windows Office Product Spawned Control | TTP |
Endpoint | T1566.001 | Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host |
| Windows Office Product Dropped Cab or Inf File | TTP |
Endpoint | T1566.001 | Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, Compromised Windows Host, APT37 Rustonotto and FadeStealer |
| Windows Execute Arbitrary Commands with MSDT | TTP |
Endpoint | T1218 | Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 |
| Windows Office Product Spawned MSDT | TTP |
Endpoint | T1566.001 | Spearphishing Attachments, Compromised Windows Host, Microsoft Support Diagnostic Tool Vulnerability CVE-2022-30190 |
| Windows Office Product Spawned Uncommon Process | TTP |
Endpoint | T1566.001 | AgentTesla, Azorult, Compromised Windows Host, CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability, DarkCrystal RAT, FIN7, IcedID, NjRAT, PlugX, Qakbot, Remcos, Spearphishing Attachments, Trickbot, Warzone RAT, APT37 Rustonotto and FadeStealer |
| Windows Office Product Loaded MSHTML Module | Anomaly |
Endpoint | T1566.001 | Spearphishing Attachments, Microsoft MSHTML Remote Code Execution CVE-2021-40444, CVE-2023-36884 Office and Windows HTML RCE Vulnerability |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/attack_techniques/T1566.001/macro/windows-sysmon_mshtml.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0