Winword Spawning Cmd

Winword Spawning Cmd


The following detection identifies Microsoft Word spawning cmd.exe. Typically, this is not common behavior and not default with winword.exe. Winword.exe will generally be found in the following path C:\Program Files\Microsoft Office\root\Office16 (version will vary). Cmd.exe spawning from winword.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line will indicate what is being executed. During triage, review parallel processes and identify any files that may have been written. It is possible that COM is utilized to trampoline the child process to explorer.exe or wmiprvse.exe.


Winword Spawning Cmd Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node. In addition, confirm the latest CIM App 4.20 or higher is installed and the latest TA for the endpoint product.


Open in Search