This note documents detection patterns related to Office Macro Execution within Windows environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4688	Process creation	Critical	Detects Office parent spawning child processes.
Sysmon	1	Process creation	Critical	Best execution source for macro-driven lineage.
Sysmon	11	File create	High	Payloads or temp files dropped by macro.
PowerShell	4104	Script block logging	Critical	Macro-launched PowerShell payload visibility.
Sysmon	3	Network connection	High	Macro-triggered outbound retrieval or beaconing.
Sysmon	22	DNS query	High	DNS lookups following macro execution.
Office Alerts / Protected View logs	N/A	Macro enablement context	Medium	User interaction clue.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Office spawns shell	`winword.exe -> powershell.exe / cmd.exe`	Critical	Strong macro abuse signal.
Office spawns LOLBIN	mshta, regsvr32, rundll32	Critical	Common staged execution.
Document from internet	Zone.Identifier ADS	High	External delivery clue.
Template file abuse	`.dotm`, `.xlsm`, `.docm`	Critical	Macro-enabled format.
Child process hidden	Hidden PowerShell flags	Critical	Common attacker stealth.
Office immediate network activity	Download cradle after document open	Critical	Strong staging signal.

Common Tools

Tool	Usage
winword.exe	Word macro host
excel.exe	Excel macro host
outlook.exe	Attachment launch path
powershell.exe	Macro child payload
cmd.exe	Shell stage
mshta.exe	LOLBIN proxy execution
VBA macros	Embedded code execution

Relevant Artifacts

Sysmon Event IDs 1, 3, 11, 22
Security Event ID 4688
PowerShell 4104
Prefetch:
- WINWORD.EXE
- EXCEL.EXE
- POWERSHELL.EXE
- MSHTA.EXE
Office recent files
Zone.Identifier ADS
Amcache / ShimCache
MFT / USN for payloads
Macro-enabled file extensions:
- .docm
- .xlsm
- .pptm

MITRE ATT&CK References

T1204 User Execution
T1059.005 Visual Basic
T1059.001 PowerShell
T1218 Signed Binary Proxy Execution

Decision Tree

Which Office process executed?
- winword
- excel
- outlook
Child process spawned?
- powershell
- cmd
- LOLBIN
Document origin?
- Email
- Download
- Share
Follow-up activity?
- Network
- File drop
- Persistence
Expand:
- Macro content
- Adjacent downloads
- User context
Scope:
- Single document
- Campaign delivery
- Shared IOC

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4688
| where ParentProcessName has_any ("winword.exe","excel.exe","outlook.exe")
| project TimeGenerated, Computer, ParentProcessName, NewProcessName, CommandLine

Sysmon
| where EventID == 1
| where ParentImage has_any ("\\winword.exe","\\excel.exe")
| project TimeGenerated, Computer, ParentImage, Image, CommandLine

EQL

process where process.parent.name in ("winword.exe","excel.exe","outlook.exe")

sequence by host.name with maxspan=5m
  [ process where process.parent.name in ("winword.exe","excel.exe") ]
  [ network where process.name in ("powershell.exe","mshta.exe") ]

Sigma

title: Office Macro Execution Detection
id: 5d8a2f14-office-macro
status: experimental
description: Detects suspicious Office child process execution linked to macro abuse
references:
  - https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
  product: windows
  service: security
detection:
  selection:
    ParentProcessName|endswith:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\OUTLOOK.EXE'
  condition: selection
fields:
  - ParentProcessName
  - NewProcessName
  - CommandLine
falsepositives:
  - Legitimate Office automation
level: high
tags:
  - attack.execution
  - attack.t1204

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Disable unsigned macros	Restrict macro execution	Critical	Strong prevention
Office child process alerts	Monitor parent-child chains	Critical	Core detection
Protected View	Keep enabled	High	Adds user friction
Zone.Identifier awareness	Inspect downloaded docs	High	Delivery clue
PowerShell logging	Capture macro child payloads	Critical	Strong visibility