T1566.003 Spearphishing via Service Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1566.003 — Spearphishing via Service
// Social media delivery occurs outside enterprise visibility. This query detects two
// high-confidence post-delivery execution signals observable in endpoint telemetry:
// Signal 1: Messaging/collaboration apps directly spawning command interpreters or LOLBins
// Signal 2: Scripts or interpreters executing from user Download/Desktop directories
let SuspiciousChildProcs = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
    "msiexec.exe", "wmic.exe", "bitsadmin.exe", "curl.exe", "wget.exe"
]);
let MessagingClients = dynamic([
    "Teams.exe", "Slack.exe", "Discord.exe", "Telegram.exe", "WhatsApp.exe",
    "update.exe"  // Slack/Discord updater sometimes used as parent
]);
let MessagingPaths = dynamic([
    "\\Microsoft\\Teams\\", "\\Slack\\", "\\Discord\\",
    "\\Telegram Desktop\\", "\\WhatsApp\\"
]);
let DownloadPaths = dynamic(["\\Downloads\\", "\\Desktop\\"]);
// Signal 1: Messaging desktop client spawning suspicious child processes
// Covers Storm-1811 Teams vishing, ToddyCat Telegram delivery
let MessagingSpawn = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (MessagingClients)
    or InitiatingProcessFolderPath has_any (MessagingPaths)
| where FileName in~ (SuspiciousChildProcs)
| extend Signal = "MessagingClientSpawn"
| extend SignalDetail = strcat(InitiatingProcessFileName, " spawned ", FileName);
// Signal 2: Scripting engines or interpreters executing directly from Download/Desktop paths
// Covers files delivered via browser after social media link-click
let DownloadExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (DownloadPaths)
    or (ProcessCommandLine has_any (DownloadPaths)
        and FileName in~ (SuspiciousChildProcs))
| where FileName in~ (SuspiciousChildProcs)
    or FolderPath has_any (DownloadPaths)
| extend Signal = "DownloadDirectoryExecution"
| extend SignalDetail = strcat(FileName, " executed from ", FolderPath);
// Signal 3 (correlated): Any executable in Downloads that spawns a child interpreter
let DownloadSpawnChain = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFolderPath has_any (DownloadPaths)
| where FileName in~ (SuspiciousChildProcs)
| extend Signal = "DownloadedBinarySpawnedInterpreter"
| extend SignalDetail = strcat(InitiatingProcessFileName, " (from Downloads) spawned ", FileName);
// Combine all signals
union MessagingSpawn, DownloadExecution, DownloadSpawnChain
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessFolderPath, Signal, SignalDetail
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)
IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory
Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval ParentImage_lower=lower(ParentImage)
| eval CommandLine_lower=lower(CommandLine)
| eval ParentCommandLine_lower=lower(ParentCommandLine)
// Signal 1: Messaging client as parent process spawning suspicious children
| eval MessagingParent=if(
    match(ParentImage_lower, "(\\\\teams\.exe|\\\\slack\.exe|\\\\discord\.exe|\\\\telegram\.exe|\\\\whatsapp\.exe)")
    OR match(ParentImage_lower, "(\\\\microsoft\\\\teams\\\\|\\\\slack\\\\|\\\\discord\\\\|\\\\telegram desktop\\\\)"),
    1, 0)
// Signal 2: Interpreter/LOLBin executing from Downloads or Desktop directory
| eval DownloadExecution=if(
    match(Image_lower, "(\\\\downloads\\\\|\\\\desktop\\\\)")
    OR (match(CommandLine_lower, "(\\\\downloads\\\\|\\\\desktop\\\\)")
        AND match(Image_lower, "(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\rundll32\.exe|\\\\regsvr32\.exe|\\\\certutil\.exe|\\\\msiexec\.exe)")),
    1, 0)
// Signal 3: Downloads-resident binary spawning interpreters (two-stage chain)
| eval DownloadSpawnChain=if(
    match(ParentImage_lower, "(\\\\downloads\\\\|\\\\desktop\\\\)")
    AND match(Image_lower, "(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\rundll32\.exe)"),
    1, 0)
// Suspicious child process type indicator
| eval SuspiciousChild=if(
    match(Image_lower, "(\\\\cmd\.exe|\\\\powershell\.exe|\\\\pwsh\.exe|\\\\wscript\.exe|\\\\cscript\.exe|\\\\mshta\.exe|\\\\rundll32\.exe|\\\\regsvr32\.exe|\\\\certutil\.exe|\\\\msiexec\.exe|\\\\wmic\.exe|\\\\bitsadmin\.exe)"),
    1, 0)
| where (MessagingParent=1 AND SuspiciousChild=1) OR DownloadExecution=1 OR DownloadSpawnChain=1
| eval Signal=case(
    MessagingParent=1 AND SuspiciousChild=1, "MessagingClientSpawn",
    DownloadSpawnChain=1, "DownloadedBinarySpawnedInterpreter",
    DownloadExecution=1, "DownloadDirectoryExecution",
    true(), "Unknown")
| eval RiskScore=MessagingParent + DownloadExecution + DownloadSpawnChain + SuspiciousChild
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, Signal, RiskScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software packages installed from the Downloads directory, especially corporate-mandated tools distributed by IT teams via Teams or Slack file sharing
Automated deployment pipelines or CI/CD runners that legitimately use Slack or Teams integrations to trigger system-level commands on developer workstations
End users running downloaded scripts for self-service IT tasks that are part of approved SOPs distributed via helpdesk Teams channels
Developers running downloaded build tools, compilers, or deployment scripts from their Downloads directory as part of normal development workflows
Discord community tools (bots, utilities, moderation tools) that users download and execute from their Downloads directory for gaming or development communities

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.parent.name : ("slack.exe","teams.exe","discord.exe","skype.exe","telegram.exe",
                           "signal.exe","zoom.exe","webex.exe","msteams.exe","slack*") and
  process.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe",
                   "mshta.exe","rundll32.exe","regsvr32.exe","certutil.exe","msiexec.exe",
                   "curl.exe","wget.exe","bitsadmin.exe")

high severity medium confidence

Data Sources

Windows Process Events

Required Tables

logs-endpoint.events.process-*

False Positives

Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)
IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory
Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "ParentImage" as MessagingApp, "Image" as ChildProcess, "CommandLine" as CommandLine,
  CASE WHEN "Image" ILIKE '%powershell.exe%' OR "Image" ILIKE '%mshta.exe%' THEN 10
       WHEN "Image" ILIKE '%certutil.exe%' OR "Image" ILIKE '%bitsadmin.exe%' THEN 9
       WHEN "Image" ILIKE '%cmd.exe%' THEN 8
       ELSE 6 END as RiskScore
FROM events
WHERE eventid IN (1, 4688)
  AND LOWER(coalesce("ParentImage","")) LIKE ANY
    ('%slack.exe%','%teams.exe%','%discord.exe%','%skype.exe%','%telegram.exe%',
     '%signal.exe%','%zoom.exe%','%webex.exe%','%msteams.exe%')
  AND LOWER("Image") LIKE ANY
    ('%cmd.exe%','%powershell.exe%','%pwsh.exe%','%wscript.exe%','%cscript.exe%',
     '%mshta.exe%','%rundll32.exe%','%regsvr32.exe%','%certutil.exe%','%bitsadmin.exe%')
ORDER BY RiskScore DESC, EventTime DESC

high severity medium confidence

Data Sources

Windows Sysmon Windows Security Event Log

Required Tables

events

False Positives

Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)
IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory
Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| json auto
| where EventID in ("1","4688")
| eval ParentLower = toLower(coalesce(ParentImage, ParentProcessName, ""))
| eval ImageLower = toLower(coalesce(Image, NewProcessName, ""))
| where ParentLower matches ".*(slack|teams|discord|skype|telegram|signal|zoom|webex|msteams)\..*"
| where ImageLower matches ".*(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|curl|wget)\..*"
| eval risk = case(
    ImageLower matches ".*(powershell|mshta|wscript|cscript).*", "critical",
    ImageLower matches ".*(certutil|bitsadmin|curl|wget).*", "high",
    true(), "medium")
| table _time, Computer, User, ParentImage, Image, CommandLine, risk
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Windows Security via Sumo Logic

Required Tables

windows/sysmon windows/security

False Positives

Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)
IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory
Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms

Google Chronicle / SecOps

yaral

rule spearphishing_via_service {
  meta:
    author = "Detection Engineering"
    description = "Detects spearphishing via messaging service spawning suspicious child processes (T1566.003)"
    severity = "HIGH"
    tactic = "TA0001"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($e.principal.process.file.full_path, `(?i)(slack|teams|discord|skype|telegram|signal|zoom|webex|msteams)`) nocase
    re.regex($e.target.process.file.full_path, `(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe`) nocase

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows Process Events via Chronicle UDM

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)
IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory
Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ParentBaseFileName = /(slack|teams|discord|skype|telegram|signal|zoom|webex|msteams)/i
| ImageFileName = /(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin)\.exe$/i
| eval risk = case {
    ImageFileName = /(powershell|mshta|wscript)\.exe$/i : "critical";
    ImageFileName = /(certutil|bitsadmin)\.exe$/i : "high";
    * : "medium"
  }
| table timestamp, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, risk
| sort by timestamp desc

high severity medium confidence

Data Sources

CrowdStrike Falcon Process Events

Required Tables

ProcessRollup2

False Positives

Legitimate software downloaded from vendor websites and installed directly from the Downloads folder — common for one-off installs of approved tools (Zoom, VPN clients, browser installers)
IT teams distributing deployment scripts or configuration tools via Microsoft Teams file sharing as part of approved endpoint management or onboarding workflows
Developers who routinely download and execute build artifacts, deployment scripts, or tools from GitHub releases directly from their Downloads directory
Corporate Discord or Slack bots and integrations that legitimately invoke system commands or scripts as part of approved DevOps or IT automation workflows
HR or security onboarding processes where employees are instructed to download and run onboarding packages or compliance agents shared via collaboration platforms

Spearphishing via Service

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Initial Access

Popular Detections