CVE-2009-0238 Splunk · SPL

Detect Microsoft Office Remote Code Execution (CVE-2009-0238) in Splunk

CVE-2009-0238 is a remote code execution vulnerability in Microsoft Office (addressed in MS09-009) caused by improper handling of specially crafted Excel files, leading to arbitrary code execution in the context of the logged-on user. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog and has been actively exploited in the wild via malicious Office documents delivered through phishing campaigns.

MITRE ATT&CK

Tactic
Initial Access Execution TA0059

SPL Detection Query

Splunk (SPL)
spl 
index=windows sourcetype=WinEventLog:Security OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
| search (EventCode=4688 OR EventCode=1)
| eval parent=coalesce(ParentProcessName, parent_process_name)
| eval child=coalesce(NewProcessName, process_name)
| where match(lower(parent), "excel\.exe|winword\.exe|powerpnt\.exe")
| where match(lower(child), "cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|regsvr32\.exe|rundll32\.exe|certutil\.exe")
| eval command=coalesce(CommandLine, process)
| eval risk=case(
    match(lower(command), "-enc|-encoded"), "Encoded PowerShell",
    match(lower(command), "downloadstring|webclient"), "Network Download",
    match(lower(command), "iex|invoke-expression"), "In-Memory Execution",
    true(), "Suspicious Child Process"
  )
| table _time, host, user, parent, child, command, risk
| sort -_time
critical severity high confidence

Detects Office application parent processes spawning known LOLBin or shell child processes on Windows endpoints, consistent with exploitation of CVE-2009-0238 via malicious Excel documents.

Data Sources

Windows Security Event LogSysmon

Required Sourcetypes

WinEventLog:SecurityXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate macro-driven business workflows that invoke cmd.exe or PowerShell
  • Office add-ins or plugins that programmatically launch system processes
  • Security tools that perform scripted Office document analysis

Other platforms for CVE-2009-0238

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Office Spawning PowerShell Encoded Command

    Expected signal: Sysmon Event ID 1 showing EXCEL.EXE as parent process of powershell.exe with a -EncodedCommand argument; DeviceProcessEvents in MDE capturing the parent-child chain

  2. Test 2Office Spawning CMD with Network Download

    Expected signal: Sysmon Event ID 1 for cmd.exe and certutil.exe processes; Sysmon Event ID 3 (Network Connect) from certutil.exe to 127.0.0.1:8888; Sysmon Event ID 11 for test_artifact.exe creation in TEMP

  3. Test 3Malicious Excel File Macro Execution Simulation via WScript

    Expected signal: Sysmon Event ID 11 for sim_payload.vbs creation; Sysmon Event ID 1 for wscript.exe and subsequently calc.exe process creation; parent chain visible in EDR

Last updated: 2026-06-19 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2009-0238 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1203Exploitation for Client ExecutionT1566.001Spearphishing AttachmentT1059.001PowerShell

Same Tactic: Initial Access

Popular Detections