title: Microsoft Outlook Spawning Windows Shell
status: experimental
description: Detects a Windows command line executable started from Microsoft Outlook
references:
    - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
author: Florian Roth
date: 2018/03/06
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        ParentImage:
            - '*\OUTLOOK.EXE'
        Image:
            - '*\cmd.exe'
            - '*\powershell.exe'
            - '*\wscript.exe'
            - '*\cscript.exe'
            - '*\sh.exe'
            - '*\bash.exe'
            - '*\schtasks.exe'
    condition: selection
fields:
    - CommandLine
    - ParentCommandLine
falsepositives:
    - False positives are possible, depends on organisation and processes
level: high