Detection: Detect Prohibited Office Applications Spawning cmd exe

Date: 2023-12-11 ID: c10a18cb-fd70-44fb-a8f4-25026a0b0c94 Author: Lou Stella, Splunk Type: Anomaly Product: Splunk User Behavior Analytics

Description

The following analytic identifies parent processes that are office/productivity applications, spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or built into macros. Much of this will need to be tuned to further enhance the risk.

Annotations

No annotations available.

Implementation

In order to successfully implement this analytic, you will need endpoint process data from a EDR product or Sysmon. This search has been modified to process raw sysmon data from attack_range's nxlogs on DSP.

Known False Positives

There are circumstances where an application may legitimately execute and interact with the Windows command-line interface.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest_device_id$ by user $dest_user_id$, producing a suspicious event that warrants investigating.	35	70	50

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://attack.mitre.org/techniques/T1059/

Version: 3