Detection of Office or document viewer processes (e.g., winword.exe) initiating network connections to remote templates or executing scripts due to manipulated template references (e.g., embedded in .docx, .rtf, or .dotm files), followed by suspicious child process creation (e.g., PowerShell).
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TemplateURLPatterns | Can be tuned to flag known bad domains or external resources in template fields. |
| ParentProcess | May be environment-specific; typically Word, Excel, PowerPoint. |
| TimeWindow | Correlation window for process + network activity. |
| ChildProcessAnomalyThreshold | Trigger when document-spawned child process deviates from expected profile. |