CVE-2009-0556

Microsoft Office PowerPoint Code Injection (CVE-2009-0556)

Initial Access Execution Last updated:

Detects exploitation attempts of CVE-2009-0556, a code injection vulnerability in Microsoft Office PowerPoint. Attackers can exploit this vulnerability via crafted PowerPoint files to execute arbitrary code in the context of the logged-in user. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Microsoft
Product
Office

Weakness (CWE)

CWE-94

Timeline

Disclosed
January 7, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2009-0556 Microsoft Office PowerPoint Code Injection (CVE-2009-0556)?

Microsoft Office PowerPoint Code Injection (CVE-2009-0556) (CVE-2009-0556) maps to the Initial Access and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Microsoft Office PowerPoint Code Injection (CVE-2009-0556), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution
Microsoft Sentinel / Defender
kusto 
let suspiciousPptExtensions = dynamic(['.ppt', '.pptx', '.pps', '.ppsx', '.pot', '.potx']);
let lookback = 48h;
union DeviceProcessEvents, DeviceFileEvents
| where Timestamp > ago(lookback)
| where InitiatingProcessFileName =~ 'powerpnt.exe'
    or (ActionType == 'FileCreated' and FileName has_any (suspiciousPptExtensions))
| where InitiatingProcessParentFileName in~ ('winword.exe', 'excel.exe', 'outlook.exe', 'powerpnt.exe')
    or (InitiatingProcessFileName =~ 'powerpnt.exe' and FileName has_any (suspiciousPptExtensions) and FolderPath has_any ('\\Temp\\', '\\AppData\\', '\\Downloads\\'))
| extend suspicionReason = case(
    InitiatingProcessFileName =~ 'powerpnt.exe' and ProcessCommandLine has_any ('cmd.exe', 'powershell', 'wscript', 'cscript', 'mshta'), 'PowerPoint spawning shell',
    FolderPath has_any ('\\Temp\\', '\\AppData\\Local\\Temp\\'), 'Suspicious temp path',
    true(), 'General anomaly'
  )
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath, ProcessCommandLine, suspicionReason

Detects PowerPoint spawning suspicious child processes or creating files in temp paths, consistent with CVE-2009-0556 exploitation via crafted .ppt files.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

  • Legitimate macros in PowerPoint files that launch scripts for business automation
  • IT deployment tools that use PowerPoint templates with scripting hooks
  • Security training or red team exercises running simulated phishing payloads

Sigma rule & cross-platform mapping

The detection logic for Microsoft Office PowerPoint Code Injection (CVE-2009-0556) (CVE-2009-0556) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2009-0556 Sigma rules on detection.fyi

Platform-specific guides for CVE-2009-0556

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerPoint Spawning cmd.exe (Simulated CVE-2009-0556 Payload Execution)

    Expected signal: Process creation event: parent=POWERPNT.EXE, child=cmd.exe with arguments '/c whoami'

  2. Test 2PowerPoint Spawning PowerShell with Encoded Command

    Expected signal: Sysmon Event ID 1: Image=powershell.exe, ParentImage=powerpnt.exe, CommandLine contains -EncodedCommand

  3. Test 3Crafted PPT File Drop to Temp Directory

    Expected signal: File creation event: FileName=exploit_test.ppt, FolderPath contains \Temp\

Unlock Pro Content

Get the full detection package for CVE-2009-0556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002Execution

Related Techniques

T1203Exploitation for Client ExecutionT1566.001Spearphishing AttachmentT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections