T1566.001 Spearphishing Attachment Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Primary detection: Office applications spawning suspicious child processes
// This is the strongest post-attachment-open indicator available in endpoint telemetry
let OfficeApps = dynamic([
  "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
  "mspub.exe", "msaccess.exe", "onenote.exe", "visio.exe", "eqnedt32.exe"
]);
let SuspiciousChildren = dynamic([
  "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
  "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
  "curl.exe", "wget.exe", "msbuild.exe", "installutil.exe", "schtasks.exe",
  "at.exe", "wmic.exe", "odbcconf.exe", "pcalua.exe", "cmstp.exe",
  "msiexec.exe", "explorer.exe", "hh.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| extend RiskLevel = case(
    FileName in~ ("powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe"), "Critical",
    FileName in~ ("certutil.exe", "bitsadmin.exe", "regsvr32.exe", "rundll32.exe", "odbcconf.exe", "cmstp.exe"), "High",
    "Medium"
  )
| extend SuspiciousNetwork = ProcessCommandLine has_any ("http://", "https://", "ftp://", "\\\\")
| extend EncodedPayload = ProcessCommandLine has_any ("-enc", "-EncodedCommand", "FromBase64String", "/e:jscript", "/e:vbscript")
| extend TempExecution = ProcessCommandLine has_any ("\\Temp\\", "\\AppData\\", "\\Downloads\\", "%temp%", "%appdata%")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RiskLevel, SuspiciousNetwork, EncodedPayload, TempExecution
| sort by Timestamp desc
// Secondary query: Executables created by Office apps or launched from suspicious paths
// (run separately or union with primary)
// DeviceFileEvents
// | where Timestamp > ago(24h)
// | where InitiatingProcessFileName in~ (OfficeApps)
// | where ActionType == "FileCreated"
// | where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".ps1"
//    or FileName endswith ".vbs" or FileName endswith ".js" or FileName endswith ".hta"
// | project Timestamp, DeviceName, AccountName, FileName, FolderPath, InitiatingProcessFileName

high severity high confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate Excel macros used in finance/operations departments that call cmd.exe or PowerShell for data processing or report generation
Microsoft Office add-ins and COM automation tools (Power BI, Tableau connector, SAP) that spawn child processes as part of normal integration workflows
IT-managed document templates that use embedded VBA macros to launch approved internal tools or scripts from known paths
PDF reader auto-open actions or form submission scripts in enterprise document management workflows
Outlook meeting integrations (Zoom, Teams, Webex plugins) that spawn helper processes when calendar invites are processed

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\powerpnt.exe"
   OR ParentImage="*\\outlook.exe" OR ParentImage="*\\mspub.exe" OR ParentImage="*\\msaccess.exe"
   OR ParentImage="*\\onenote.exe" OR ParentImage="*\\eqnedt32.exe" OR ParentImage="*\\visio.exe")
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
   OR Image="*\\regsvr32.exe" OR Image="*\\rundll32.exe" OR Image="*\\certutil.exe"
   OR Image="*\\bitsadmin.exe" OR Image="*\\msbuild.exe" OR Image="*\\installutil.exe"
   OR Image="*\\wmic.exe" OR Image="*\\odbcconf.exe" OR Image="*\\cmstp.exe"
   OR Image="*\\msiexec.exe" OR Image="*\\schtasks.exe" OR Image="*\\hh.exe")
| eval ChildProcess=mvindex(split(Image, "\\"), -1)
| eval ParentProcess=mvindex(split(ParentImage, "\\"), -1)
| eval RiskLevel=case(
    match(Image, "(?i)(powershell|pwsh|mshta|wscript|cscript)"), "Critical",
    match(Image, "(?i)(certutil|bitsadmin|regsvr32|rundll32|odbcconf|cmstp)"), "High",
    1==1, "Medium"
  )
| eval HasNetworkRef=if(match(CommandLine, "(?i)(https?://|ftp://|\\\\\\\\)"), 1, 0)
| eval HasEncodedPayload=if(match(CommandLine, "(?i)(-enc|-encodedcommand|frombase64string|/e:jscript|/e:vbscript)"), 1, 0)
| eval TempExecution=if(match(CommandLine, "(?i)(\\\\temp\\\\|\\\\appdata\\\\|\\\\downloads\\\\|%temp%|%appdata%)"), 1, 0)
| table _time, host, User, ChildProcess, CommandLine, ParentProcess, ParentCommandLine, RiskLevel, HasNetworkRef, HasEncodedPayload, TempExecution
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate Excel macros used in finance/operations departments that call cmd.exe or PowerShell for data processing or report generation
Microsoft Office add-ins and COM automation tools (Power BI, Tableau connector, SAP) that spawn child processes as part of normal integration workflows
IT-managed document templates that use embedded VBA macros to launch approved internal tools or scripts from known paths
PDF reader auto-open actions or form submission scripts in enterprise document management workflows
Outlook meeting integrations (Zoom, Teams, Webex plugins) that spawn helper processes when calendar invites are processed

Elastic Security (EQL)

eql

sequence by host.name with maxspan=30s
  [process where event.action == "start" and
   process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
                           "mspub.exe", "msaccess.exe", "onenote.exe", "visio.exe", "eqnedt32.exe") and
   process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
                   "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
                   "curl.exe", "wget.exe", "msbuild.exe", "installutil.exe", "schtasks.exe",
                   "at.exe", "wmic.exe", "odbcconf.exe", "pcalua.exe", "cmstp.exe",
                   "msiexec.exe", "explorer.exe", "hh.exe")]
/* Standalone version (without sequence) for broader coverage */
/* process where event.action == "start" and
   process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
                           "mspub.exe", "msaccess.exe", "onenote.exe", "visio.exe", "eqnedt32.exe") and
   process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
                   "mshta.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe",
                   "curl.exe", "wget.exe", "msbuild.exe", "installutil.exe", "schtasks.exe",
                   "at.exe", "wmic.exe", "odbcconf.exe", "pcalua.exe", "cmstp.exe",
                   "msiexec.exe", "hh.exe") */

critical severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate macro-enabled Office documents used by developers or finance teams that call cmd.exe or PowerShell for automation tasks (e.g., report generation scripts).
IT administrative tools embedded in Excel spreadsheets that invoke PowerShell for inventory or patch management queries.
Outlook integrations or add-ins (e.g., DocuSign, Salesforce) that spawn msiexec.exe or rundll32.exe during installation or update workflows.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "username",
  "sourceip",
  QIDNAME(qid) AS event_name,
  "Payload"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND QIDNAME(qid) ILIKE '%process create%'
  AND LOWER("Payload") MATCHES '(?i)ParentImage.*\\\\(winword|excel|powerpnt|outlook|mspub|msaccess|onenote|visio|eqnedt32)\.exe'
  AND LOWER("Payload") MATCHES '(?i)Image.*\\\\(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|msbuild|installutil|wmic|odbcconf|cmstp|msiexec|schtasks|hh)\.exe'
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC
LIMIT 1000

-- Alternative using Windows Security Event 4688 with process creation audit enabled:
-- SELECT
--   DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
--   logsourcename(logsourceid) AS log_source,
--   "username",
--   "sourceip",
--   "ProcessName",
--   "ParentProcessName",
--   "CommandLine"
-- FROM events
-- WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%windows%'
--   AND deviceEventId = 4688
--   AND LOWER("ParentProcessName") MATCHES '(?i)(winword|excel|powerpnt|outlook|mspub|msaccess|onenote|visio|eqnedt32)\.exe$'
--   AND LOWER("ProcessName") MATCHES '(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|msbuild|installutil|wmic|odbcconf|cmstp|msiexec|schtasks|hh)\.exe$'
--   AND starttime > NOW() - 86400000
-- ORDER BY starttime DESC

critical severity medium confidence

Data Sources

Microsoft Windows Sysmon (via QRadar DSM) Windows Security Event Log (EventID 4688)

Required Tables

events

False Positives

Macro-enabled workbooks used by IT automation teams that legitimately invoke PowerShell or cmd.exe for scripted workflows such as pulling data from internal APIs.
Managed software deployment tools that use Outlook-triggered automations calling msiexec.exe or rundll32.exe for sanctioned software installs.
Pen testing or red team exercises where simulated phishing attachments are detonated in a test environment connected to production SIEM.

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" EventCode=1
| where ParentImage matches /(?i)\\(winword|excel|powerpnt|outlook|mspub|msaccess|onenote|visio|eqnedt32)\.exe$/
| where Image matches /(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|curl|wget|msbuild|installutil|schtasks|at|wmic|odbcconf|pcalua|cmstp|msiexec|explorer|hh)\.exe$/
| parse field=Image "*\\*" as _dir, ChildProcess
| parse field=ParentImage "*\\*" as _pdir, ParentProcess
| if (ChildProcess matches /(?i)(powershell|pwsh|mshta|wscript|cscript)\.exe/, "Critical",
     if (ChildProcess matches /(?i)(certutil|bitsadmin|regsvr32|rundll32|odbcconf|cmstp)\.exe/, "High", "Medium")) as RiskLevel
| if (CommandLine matches /(?i)(https?:\/\/|ftp:\/\/|\\\\\\\\)/, 1, 0) as HasNetworkRef
| if (CommandLine matches /(?i)(-enc|-encodedcommand|frombase64string|\/e:jscript|\/e:vbscript)/, 1, 0) as HasEncodedPayload
| if (CommandLine matches /(?i)(\\temp\\|\\appdata\\|\\downloads\\|%temp%|%appdata%)/, 1, 0) as TempExecution
| fields _messageTime, ComputerName, User, ChildProcess, CommandLine, ParentProcess, ParentCommandLine, RiskLevel, HasNetworkRef, HasEncodedPayload, TempExecution
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Sysmon via Sumo Logic universal forwarder Sumo Logic Cloud SIEM Enterprise normalized schema

Required Tables

windows/sysmon source category

False Positives

Business intelligence tools like Power BI embedded in Excel that call PowerShell cmdlets to refresh data from internal APIs or SharePoint.
Legal or HR teams using macro-enabled Word templates that spawn cmd.exe to print or convert documents via command-line utilities.
Software vendors whose Office add-ins use msiexec.exe or rundll32.exe for silent update routines triggered when documents are opened.

Google Chronicle / SecOps

yaral

rule spearphishing_attachment_office_child_process {
  meta:
    author = "df00tech"
    description = "Detects Office applications spawning suspicious child processes indicative of spearphishing attachment execution (T1566.001)"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1566.001"
    reference = "https://attack.mitre.org/techniques/T1566/001/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = /(?i)\\(winword|excel|powerpnt|outlook|mspub|msaccess|onenote|visio|eqnedt32)\.exe$/
    $e.target.process.file.full_path = /(?i)\\(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|curl|wget|msbuild|installutil|schtasks|at|wmic|odbcconf|pcalua|cmstp|msiexec|hh)\.exe$/

  match:
    $e.principal.hostname over 1h

  outcome:
    $risk_score = max(
      if($e.target.process.file.full_path = /(?i)(powershell|pwsh|mshta|wscript|cscript)\.exe$/, 100,
      if($e.target.process.file.full_path = /(?i)(certutil|bitsadmin|regsvr32|rundll32|odbcconf|cmstp)\.exe$/, 80, 60))
    )
    $has_network_ref = max(if($e.target.process.command_line = /(?i)(https?:\/\/|ftp:\/\/|\\\\\\\\)/, 1, 0))
    $has_encoded_payload = max(if($e.target.process.command_line = /(?i)(-enc|-encodedcommand|frombase64string|\/e:jscript|\/e:vbscript)/, 1, 0))
    $temp_execution = max(if($e.target.process.command_line = /(?i)(\\temp\\|\\appdata\\|\\downloads\\)/, 1, 0))
    $child_process = array_distinct($e.target.process.file.full_path)
    $parent_process = array_distinct($e.principal.process.file.full_path)
    $hostname = array_distinct($e.principal.hostname)
    $username = array_distinct($e.principal.user.userid)

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM via Windows Sysmon forwarding Chronicle Ingestion API with Defender for Endpoint events

Required Tables

UDM PROCESS_LAUNCH events

False Positives

Automated document processing pipelines where Word or Excel templates invoke PowerShell or cmd.exe as part of a scheduled batch conversion workflow.
Corporate macro policies that allow sanctioned macros to call certutil.exe or bitsadmin.exe for legacy file transfer operations.
Security product agents that attach to Office processes and spawn child processes (e.g., DLP or data classification tools using msiexec.exe for updates).

CrowdStrike LogScale (CQL)

cql

// Primary: Falcon ProcessRollup2 - Office parent spawning suspicious child
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /^(winword|excel|powerpnt|outlook|mspub|msaccess|onenote|visio|eqnedt32)\.exe$/i
| FileName = /^(cmd|powershell|pwsh|wscript|cscript|mshta|regsvr32|rundll32|certutil|bitsadmin|curl|wget|msbuild|installutil|schtasks|at|wmic|odbcconf|pcalua|cmstp|msiexec|hh)\.exe$/i
| RiskLevel := if(FileName = /^(powershell|pwsh|mshta|wscript|cscript)\.exe$/i, "Critical",
                if(FileName = /^(certutil|bitsadmin|regsvr32|rundll32|odbcconf|cmstp)\.exe$/i, "High", "Medium"))
| HasNetworkRef := if(CommandLine = /(?i)(https?:\/\/|ftp:\/\/|\\\\)/, "true", "false")
| HasEncodedPayload := if(CommandLine = /(?i)(-enc|-encodedcommand|frombase64string|\/e:jscript|\/e:vbscript)/, "true", "false")
| TempExecution := if(CommandLine = /(?i)(\\temp\\|\\appdata\\|\\downloads\\|%temp%|%appdata%)/, "true", "false")
| table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, RiskLevel, HasNetworkRef, HasEncodedPayload, TempExecution])
| sort(timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2 events) CrowdStrike Falcon Data Replicator (FDR) feed to LogScale

Required Tables

ProcessRollup2 Falcon event stream

False Positives

Enterprise Excel-based dashboards used by IT operations that execute PowerShell scripts to pull metrics from monitoring endpoints via HTTP APIs.
Microsoft Office deployment scripts that use msiexec.exe or rundll32.exe triggered from Outlook-based approval workflow integrations.
Third-party Office add-ins or productivity tools (e.g., PDF converters, e-signature plugins) that spawn cmd.exe or wscript.exe as part of their normal operation.

Spearphishing Attachment

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Initial Access

Popular Detections