title: Office Macro Starts Cmd status: experimental description: Detects a Windows command line executable started from Microsoft Word or Excel references: - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 author: Florian Roth logsource: product: windows service: sysmon detection: selection: EventID: 1 ParentImage: - '*\WINWORD.EXE' - '*\EXCEL.EXE' Image: '*\cmd.exe' condition: selection fields: - CommandLine - ParentCommandLine falsepositives: - unknown level: high