Which SIEM platforms have a CVE-2009-0556 detection rule?

df00tech provides CVE-2009-0556 (Microsoft Office PowerPoint Code Injection (CVE-2009-0556)) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2009-0556 detection?

The CVE-2009-0556 detection is rated high severity with medium confidence.

What are common false positives for CVE-2009-0556?

Common false positives for CVE-2009-0556 include: Legitimate macros in PowerPoint files that launch scripts for business automation; IT deployment tools that use PowerPoint templates with scripting hooks; Security training or red team exercises running simulated phishing payloads.

CVE-2009-0556 Sumo Logic CSE · Sumo

Detect Microsoft Office PowerPoint Code Injection (CVE-2009-0556) in Sumo Logic CSE

Q: What data sources are required to detect Microsoft Office PowerPoint Code Injection (CVE-2009-0556) (CVE-2009-0556)?

Detecting Microsoft Office PowerPoint Code Injection (CVE-2009-0556) requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel.

Detects exploitation attempts of CVE-2009-0556, a code injection vulnerability in Microsoft Office PowerPoint. Attackers can exploit this vulnerability via crafted PowerPoint files to execute arbitrary code in the context of the logged-in user. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.

MITRE ATT&CK

Tactic: Initial Access Execution

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| parse "ParentImage=*\\" as parentImage
| parse "Image=*\\" as childImage
| where toLowerCase(parentImage) = "powerpnt.exe"
| where toLowerCase(childImage) in ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")
| parse "CommandLine=*" as commandLine
| count by _sourceHost, parentImage, childImage, commandLine
| order by _count desc

high severity medium confidence

Identifies PowerPoint spawning scripting interpreters on Windows systems via Sumo Logic, as a signal for CVE-2009-0556 exploitation.

Data Sources

Windows SysmonWindows Security Logs

Required Tables

windows/sysmonwindows/security

False Positives & Tuning

Legitimate macro-based PowerPoint presentations launching administrative scripts
Custom enterprise workflow automation using Office COM
Developer or DevSecOps scripting tasks initiated from Office

Other platforms for CVE-2009-0556

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1PowerPoint Spawning cmd.exe (Simulated CVE-2009-0556 Payload Execution)
Expected signal: Process creation event: parent=POWERPNT.EXE, child=cmd.exe with arguments '/c whoami'
Test 2PowerPoint Spawning PowerShell with Encoded Command
Expected signal: Sysmon Event ID 1: Image=powershell.exe, ParentImage=powerpnt.exe, CommandLine contains -EncodedCommand
Test 3Crafted PPT File Drop to Temp Directory
Expected signal: File creation event: FileName=exploit_test.ppt, FolderPath contains \Temp\

Last updated: 2026-06-19 Research depth: standard

References (2)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2009-0556 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0002Execution

Related Techniques

T1203Exploitation for Client Execution T1566.001Spearphishing Attachment T1059Command and Scripting Interpreter

Detect Microsoft Office PowerPoint Code Injection (CVE-2009-0556) in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2009-0556

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2009-0556

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox