Which SIEM platforms have a THREAT-InitialAccess-PhishingMacro detection rule?

df00tech provides THREAT-InitialAccess-PhishingMacro (Phishing Document Macro Execution and Initial Access) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the THREAT-InitialAccess-PhishingMacro detection?

The THREAT-InitialAccess-PhishingMacro detection is rated high severity with high confidence.

What are common false positives for THREAT-InitialAccess-PhishingMacro?

Common false positives for THREAT-InitialAccess-PhishingMacro include: Legitimate Office macros that invoke cmd.exe for file management operations (e.g., print macros, export scripts); Developers testing Office automation or VBA scripts who invoke PowerShell from Excel or Word; IT management scripts embedded in Office templates that run system commands (should be replaced with modern automation).

THREAT-InitialAccess-PhishingMacro

Phishing Document Macro Execution and Initial Access

Q: What data sources are required to detect Phishing Document Macro Execution and Initial Access (THREAT-InitialAccess-PhishingMacro)?

Detecting Phishing Document Macro Execution and Initial Access requires the following data sources: Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceFileEvents), Sysmon Event ID 1, 11, Microsoft 365 Defender.

Initial Access Execution Last updated: April 25, 2026

Despite Microsoft's macro-blocking default settings (Block macros from the internet in Office 2016+, enabled by default since 2022), phishing document macro execution continues to be a primary initial access vector for SMBs. Attackers have adapted: moving to ISO/IMG file containers that strip the Mark-of-the-Web (MOTW) flag, using template injection attacks (DOTM/XLTM), abusing OneNote .one files (dropped in 2023 but resurfaced with .onepkg), and targeting users who have manually disabled macro blocking via Group Policy misconfiguration or social engineering ('Enable content to view this document'). QakBot successors (Pikabot, DarkGate), TA577, and Lazarus Group are documented using this technique against UK SMBs. NCSC 2025 advisory noted macro-based attacks persist in 40% of SMB ransomware intrusions due to inadequate macro restrictions.

What is THREAT-InitialAccess-PhishingMacro Phishing Document Macro Execution and Initial Access?

Phishing Document Macro Execution and Initial Access (THREAT-InitialAccess-PhishingMacro) maps to the Initial Access and Execution tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for Phishing Document Macro Execution and Initial Access, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceFileEvents), Sysmon Event ID 1, 11, Microsoft 365 Defender. The queries below are rated high severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Initial Access Execution

Microsoft Sentinel / Defender

kusto

// THREAT: Phishing Macro Initial Access Detection
// Detects malicious macro execution via suspicious child processes
// from Office applications and document-related processes

let OfficeApps = dynamic(["winword.exe", "excel.exe", "powerpnt.exe",
    "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe"]);
let SuspiciousChildren = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe",
    "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe",
    "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe",
    "curl.exe", "wget.exe", "schtasks.exe", "taskschd.msc"
]);
let HighRiskApps = dynamic(["wscript.exe", "cscript.exe", "mshta.exe",
    "regsvr32.exe", "certutil.exe", "bitsadmin.exe"]);
// Alert 1: Office app spawning suspicious child process
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| extend HighRisk = FileName in~ (HighRiskApps)
| extend RiskScore = iff(HighRisk, 90, 75)
| project Timestamp, DeviceName, AccountName,
    FileName, ProcessCommandLine,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    RiskScore
| extend ThreatType = "Macro_SuspiciousChildProcess";
// Alert 2: ISO/IMG container mounting followed by Office doc execution
let MountEvents = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".iso" or FileName endswith ".img" or FileName endswith ".vhd"
| where ActionType =~ "FileCreated"
| project MountTime=Timestamp, DeviceName, MountedFile=FileName, AccountName;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ (OfficeApps)
| where FileName in~ (SuspiciousChildren)
| join kind=inner MountEvents on DeviceName, AccountName
| where datetime_diff('minute', Timestamp, MountTime) between (0 .. 30)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
    InitiatingProcessFileName, MountedFile
| extend ThreatType = "Macro_ISOContainer_Execution"

Two-vector phishing macro detection: (1) Office applications spawning suspicious child processes (cmd.exe, PowerShell, wscript.exe, mshta.exe, etc.) — the direct macro execution indicator; (2) ISO/IMG file mounting followed by Office document execution within 30 minutes — the MOTW-bypass pattern where attackers package documents in ISO containers to circumvent macro blocking. High-risk child processes (mshta, regsvr32, cscript) score 90; lower-risk (cmd, PowerShell) score 75.

high severity high confidence

Data Sources

Microsoft Defender for Endpoint (DeviceProcessEvents, DeviceFileEvents) Sysmon Event ID 1, 11 Microsoft 365 Defender

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate Office macros that invoke cmd.exe for file management operations (e.g., print macros, export scripts)
Developers testing Office automation or VBA scripts who invoke PowerShell from Excel or Word
IT management scripts embedded in Office templates that run system commands (should be replaced with modern automation)
Legitimate ISO file usage for software installation followed by document viewing on the same day

Elastic Security (EQL)

eql

/* Alert 1: Office application spawning suspicious child process (macro-based initial access) */
process where event.type == "start" and
  process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe") and
  process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe", "curl.exe", "wget.exe", "schtasks.exe")

/* Alert 2: ISO/IMG container mount followed by Office macro execution within 30 minutes */
/* Run as a separate EQL sequence query */
/* sequence by host.name, user.name with maxspan=30m
  [file where event.action == "creation" and
    (file.extension : "iso" or file.extension : "img" or file.extension : "vhd")]
  [process where event.type == "start" and
    process.parent.name : ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "msaccess.exe", "mspub.exe") and
    process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe")]
*/

Detects phishing macro initial access via Office applications spawning LOLBins or script interpreters. Covers both direct macro execution and ISO/IMG container delivery that bypasses Mark-of-the-Web. Targets QakBot successor (Pikabot, DarkGate), TA577, and Lazarus Group TTPs documented in NCSC 2025 advisory. Uses ECS process.parent.name and process.name fields from Elastic Endpoint or Winlogbeat with Sysmon.

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon (Event ID 1) Elastic Agent (system integration)

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-*

False Positives

Legitimate IT automation using Excel/Word COM objects that spawn cmd.exe or PowerShell for scheduled data refresh or ETL pipelines — whitelist by specific CommandLine hash or parent process path in known automation service accounts
Corporate-approved macro-enabled templates in finance or HR departments that use certutil.exe for certificate operations or schtasks.exe for report scheduling — tune by adding user group or host exclusions for known automation endpoints
Developer environments with VSTO add-ins or Office automation test harnesses that legitimately spawn PowerShell for build/test tasks — exclude by host name prefix (e.g., DEV-* or BUILD-*) in the query filter

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  QIDNAME(qid) AS EventName,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "ParentProcessPath" AS ParentProcess,
  "ProcessPath" AS ChildProcess,
  "CommandLine" AS CommandLine,
  CASE
    WHEN "ProcessPath" ILIKE '%\\mshta.exe'
      OR "ProcessPath" ILIKE '%\\cscript.exe'
      OR "ProcessPath" ILIKE '%\\wscript.exe'
      OR "ProcessPath" ILIKE '%\\regsvr32.exe'
      OR "ProcessPath" ILIKE '%\\certutil.exe'
      OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    THEN 90
    ELSE 75
  END AS RiskScore,
  CASE
    WHEN "ProcessPath" ILIKE '%\\mshta.exe'
      OR "ProcessPath" ILIKE '%\\cscript.exe'
      OR "ProcessPath" ILIKE '%\\wscript.exe'
      OR "ProcessPath" ILIKE '%\\regsvr32.exe'
      OR "ProcessPath" ILIKE '%\\certutil.exe'
      OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    THEN 'HIGH'
    ELSE 'MEDIUM'
  END AS Severity
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND eventid = 1
  AND (
    "ParentProcessPath" ILIKE '%\\winword.exe'
    OR "ParentProcessPath" ILIKE '%\\excel.exe'
    OR "ParentProcessPath" ILIKE '%\\powerpnt.exe'
    OR "ParentProcessPath" ILIKE '%\\outlook.exe'
    OR "ParentProcessPath" ILIKE '%\\onenote.exe'
    OR "ParentProcessPath" ILIKE '%\\mspub.exe'
    OR "ParentProcessPath" ILIKE '%\\msaccess.exe'
  )
  AND (
    "ProcessPath" ILIKE '%\\cmd.exe'
    OR "ProcessPath" ILIKE '%\\powershell.exe'
    OR "ProcessPath" ILIKE '%\\pwsh.exe'
    OR "ProcessPath" ILIKE '%\\mshta.exe'
    OR "ProcessPath" ILIKE '%\\wscript.exe'
    OR "ProcessPath" ILIKE '%\\cscript.exe'
    OR "ProcessPath" ILIKE '%\\regsvr32.exe'
    OR "ProcessPath" ILIKE '%\\rundll32.exe'
    OR "ProcessPath" ILIKE '%\\certutil.exe'
    OR "ProcessPath" ILIKE '%\\bitsadmin.exe'
    OR "ProcessPath" ILIKE '%\\wmic.exe'
    OR "ProcessPath" ILIKE '%\\msiexec.exe'
    OR "ProcessPath" ILIKE '%\\curl.exe'
    OR "ProcessPath" ILIKE '%\\schtasks.exe'
  )
LAST 24 HOURS
ORDER BY RiskScore DESC, starttime DESC

QRadar AQL query detecting Office applications (Word, Excel, PowerPoint, Outlook, OneNote, Publisher, Access) spawning LOLBins and script interpreters via Sysmon Event ID 1 (Process Create). Assigns risk scores of 90 for high-risk child processes (mshta, cscript, wscript, regsvr32, certutil, bitsadmin) and 75 for other suspicious children. Requires Sysmon custom properties ParentProcessPath, ProcessPath, and CommandLine to be mapped in QRadar DSM.

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Sysmon via Windows Event Log (Event ID 1) QRadar DSM with custom Sysmon property extraction

Required Tables

events

False Positives

Automated report generation workflows using Excel with macros that call cmd.exe or PowerShell to execute batch file post-processing — create a QRadar building block to exclude known service account usernames (e.g., SVC_REPORTS) from this rule
Software deployment tools (PDQ Deploy, SCCM) that open Office documents during package installation and may spawn cmd.exe — exclude by source IP ranges of deployment servers in the WHERE clause
Third-party Office add-ins (e.g., DocuSign, Adobe, Salesforce for Outlook) that use embedded scripts or helper executables — review CommandLine values and whitelist specific signed binaries with known-good argument patterns

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*wineventlog*)
| where EventID = "1" OR event_id = "1"
| parse field=ParentImage "*\\*" as _parentDir, ParentProcessName nodrop
| parse field=Image "*\\*" as _procDir, ProcessName nodrop
| where ParentProcessName in ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe", "onenote.exe", "mspub.exe", "msaccess.exe")
| where ProcessName in ("cmd.exe", "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe", "cscript.exe", "regsvr32.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "msiexec.exe", "curl.exe", "wget.exe", "schtasks.exe")
| eval HighRisk = if (ProcessName in ("mshta.exe", "cscript.exe", "wscript.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe"), "YES", "NO")
| eval RiskScore = if (HighRisk = "YES", 90, 75)
| eval ThreatActors = "QakBot successor (Pikabot/DarkGate), TA577, Lazarus Group"
| eval ThreatType = "Macro_SuspiciousChildProcess"
| fields _sourceHost, User, ParentProcessName, ProcessName, CommandLine, RiskScore, HighRisk, ThreatType, ThreatActors
| count by _sourceHost, User, ParentProcessName, ProcessName, HighRisk, RiskScore, ThreatType
| sort - RiskScore

Sumo Logic CSE query detecting Microsoft Office applications spawning suspicious child processes consistent with macro-based phishing initial access. Parses Sysmon Event ID 1 fields using Sumo's parse operator to extract ParentProcessName and ProcessName from Image/ParentImage paths. Risk-scores results with 90 for high-risk LOLBins (mshta, cscript, wscript, regsvr32, certutil, bitsadmin) and 75 for others. Covers QakBot successors, Pikabot, DarkGate, TA577, and Lazarus Group delivery patterns.

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon Event ID 1 (Process Create) via Sumo Installed Collector Windows Event Log collector with Sysmon operational channel

Required Tables

Sysmon Process Create events (EventID 1) ingested under appropriate _sourceCategory

False Positives

Finance department Excel dashboards with approved macros that invoke PowerShell scripts for data pull from internal APIs — add a Sumo Logic allowlist lookup table of approved automation host/user pairs and join against it to suppress known-good events
IT support workflows that use Outlook rules to trigger cmd.exe-based scripts for ticket creation or alert forwarding — investigate the CommandLine field; legitimate automation will have static, recognisable argument patterns rather than obfuscated or download-oriented commands
Legacy line-of-business applications using Word or Excel automation that call regsvr32.exe to register COM components during startup — correlate with software deployment windows and suppress events within change-freeze windows where deployment activity is expected

Google Chronicle / SecOps

yaral

rule phishing_macro_office_suspicious_child_process {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects Office applications spawning LOLBins or script interpreters, indicative of macro-based phishing initial access. Covers Pikabot, DarkGate, TA577, and Lazarus Group TTPs. NCSC 2025: macro-based delivery in 40% of UK SMB ransomware intrusions."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1566.001"
    mitre_attack_subtechnique = "T1566.001"
    reference = "https://attack.mitre.org/techniques/T1566/001/"
    created = "2025-04-25"
    version = "1.0"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
    $proc.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec|curl|wget|schtasks)\.exe$/
    $proc.principal.hostname = $hostname
    $proc.principal.user.userid = $user

  condition:
    $proc
}

rule phishing_macro_iso_container_delivery {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects ISO/IMG/VHD container file creation followed within 30 minutes by an Office application spawning a suspicious child process, indicating MOTW-bypass phishing delivery chain."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1566.001"
    created = "2025-04-25"
    version = "1.0"

  events:
    $file.metadata.event_type = "FILE_CREATION"
    $file.target.file.full_path = /(?i)\.(iso|img|vhd|vhdx)$/
    $file.principal.hostname = $hostname
    $file.principal.user.userid = $user

    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path = /(?i)(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
    $proc.target.process.file.full_path = /(?i)(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec)\.exe$/
    $proc.principal.hostname = $hostname
    $proc.principal.user.userid = $user

  match:
    $hostname, $user over 30m

  condition:
    $file and $proc
}

Two Chronicle YARA-L 2.0 rules for phishing macro initial access detection. Rule 1 (phishing_macro_office_suspicious_child_process) triggers on any Office application spawning a LOLBin or script interpreter using UDM PROCESS_LAUNCH events. Rule 2 (phishing_macro_iso_container_delivery) uses a temporal correlation over 30 minutes to detect ISO/IMG container file drops followed by Office-spawned suspicious processes, capturing the MOTW-bypass delivery chain used by Pikabot and DarkGate. Both rules use UDM principal/target field model.

high severity high confidence

Data Sources

Google Chronicle SIEM Chronicle Unified Data Model (UDM) Windows endpoint telemetry via Chronicle forwarder or third-party ingestion (CrowdStrike, Carbon Black, SentinelOne)

Required Tables

UDM PROCESS_LAUNCH events UDM FILE_CREATION events

False Positives

Legitimate macro-enabled workbooks used by finance teams that invoke PowerShell or cmd.exe for automated report delivery — add an exception list in Chronicle using a reference list of approved automation user accounts bound to specific Office processes
ISO/IMG files downloaded by IT admins for OS provisioning followed by running Excel-based inventory tools — the 30-minute correlation window will catch this pattern; tune by excluding known IT admin hostnames or adding a NOT condition on the file path matching known ISO repo directories
Security tooling that uses Office document generation (e.g., SIEM report exports via Word COM) and may invoke cmd.exe for file operations — review target.process.command_line in alerts; legitimate tooling will have predictable, non-obfuscated arguments

CrowdStrike LogScale (CQL)

cql

// Alert 1: Office application spawning suspicious child process (macro execution)
#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|onenote|msaccess|mspub)\.exe$/
| FileName = /(?i)^(cmd|powershell|pwsh|mshta|wscript|cscript|regsvr32|rundll32|certutil|bitsadmin|wmic|msiexec|curl|wget|schtasks)\.exe$/
| HighRisk := if(FileName =~ /(?i)^(mshta|cscript|wscript|regsvr32|certutil|bitsadmin)\.exe$/, "YES", "NO")
| RiskScore := if(HighRisk = "YES", 90, 75)
| ThreatType := "Macro_SuspiciousChildProcess"
| ThreatActors := "Pikabot, DarkGate, TA577, Lazarus Group"
| groupBy(
    [ComputerName, UserName, ParentBaseFileName, FileName, HighRisk, RiskScore, ThreatType],
    function=[
      count(as=EventCount),
      values(CommandLine, as=CommandLines),
      values(TargetProcessId, as=ChildPIDs),
      max(RiskScore, as=MaxRisk)
    ]
  )
| sort(MaxRisk, order=desc)

// Alert 2 (run separately): ISO/VHD file write followed by Office macro execution
// #event_simpleName=/(ProcessRollup2|NewScriptWritten|PeFileWritten)/
// | join(
//   {#event_simpleName=/(AsepValueUpdate|PeFileWritten|NewScriptWritten)/
//    | FileName =~ /(?i)\.(iso|img|vhd|vhdx)$/
//    | groupBy([ComputerName, UserName], function=collect([FileName], as=ContainerFiles))},
//   field=[ComputerName, UserName], mode=inner
// )
// | ParentBaseFileName =~ /(?i)^(winword|excel|powerpnt|outlook|onenote|mspub)\.exe$/
// | FileName =~ /(?i)^(cmd|powershell|mshta|wscript|cscript|regsvr32|rundll32|certutil)\.exe$/

CrowdStrike LogScale (Falcon NG-SIEM) CQL query detecting Office applications spawning LOLBins or script interpreters using ProcessRollup2 Falcon telemetry events. Applies regex matching on ParentBaseFileName and FileName fields (Falcon normalised process names without path). Assigns risk scores and groups by host/user/process combination to aggregate repeated execution attempts. Covers Pikabot, DarkGate, TA577, and Lazarus Group initial access patterns. A commented-out second query sketches ISO container correlation using file write events; adapt to your Falcon sensor data availability.

high severity high confidence

Data Sources

CrowdStrike Falcon Platform (EDR) CrowdStrike LogScale (Humio) Falcon ProcessRollup2 telemetry

Required Tables

ProcessRollup2 events (Falcon EDR process telemetry)

False Positives

Automated Excel-based reporting tools used by operations teams that spawn PowerShell for data aggregation — create a LogScale saved search exclusion using a lookup table of approved service account UserName values paired with known-good CommandLine prefixes
Managed software deployment via Microsoft SCCM or Intune that temporarily spawns Office processes during package installation and may call msiexec.exe or cmd.exe — correlate RiskScore=75 alerts against your change management window schedule and suppress during maintenance periods
Security awareness training platforms (e.g., KnowBe4, Proofpoint Security Awareness) that deliver simulated phishing documents which may execute macro payloads in sandboxed or monitored environments — exclude by hostname suffix or OU membership if your training uses dedicated test endpoints

Sigma rule & cross-platform mapping

The detection logic for Phishing Document Macro Execution and Initial Access (THREAT-InitialAccess-PhishingMacro) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for THREAT-InitialAccess-PhishingMacro Sigma rules on detection.fyi

Platform-specific guides for THREAT-InitialAccess-PhishingMacro

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-25 Research depth: deep

References (5)

Testing Methodology

Validate this detection against 1 adversary technique from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Office Macro Child Process Simulation (Excel)
Expected signal: Sysmon Event ID 1: Excel.exe spawning cmd.exe. Parent process chain: explorer.exe > excel.exe > cmd.exe.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for THREAT-InitialAccess-PhishingMacro including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Phishing Document Macro Execution and Initial Access

What is THREAT-InitialAccess-PhishingMacro Phishing Document Macro Execution and Initial Access?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for THREAT-InitialAccess-PhishingMacro

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Parent Technique

Related Techniques

Same Tactic: Initial Access

Popular Detections

What is THREAT-InitialAccess-PhishingMacro Phishing Document Macro Execution and Initial Access?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for THREAT-InitialAccess-PhishingMacro

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Parent Technique

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox