Know executable file

Bouzeghoub — Sun, 04 Jan 2026 07:37:50 GMT

Hi,

Please, any idea to known executable from Microsoft Office Ex: .docx file with XQL query.

Best regards.

Re: Know executable file

susekar — Tue, 06 Jan 2026 15:22:42 GMT

Greetings for the day!

To identify executables associated with Microsoft Office activity (such as a .docx file being opened in Word) using XQL, you should query the xdr_data dataset. This dataset tracks real-time endpoint activity, including process execution and file operations.

In the context of Microsoft Office, the primary processes responsible for handling files are:

winword.exe – Word documents (.doc, .docx)
excel.exe – Excel spreadsheets (.xls, .xlsx)
powerpnt.exe – PowerPoint presentations (.ppt, .pptx)

1. Identifying Child Processes (Executables Spawned by Office)

Attackers often use malicious macros in Office documents to spawn secondary processes. You can use the following query to identify when an Office application (the actor) starts a new process:

2. Identifying Executable Files Written to Disk by Office

You can also hunt for cases where an Office application creates an executable file (.exe) on disk, which is a common indicator of a dropped payload:

3. Identifying the Specific Document Trigger

To determine which document (for example, invoice.docx) triggered the activity, inspect the Office process command line or related file-open events:

Summary of Data Sources

Process execution tracking: Use the xdr_data dataset or the xdr_process preset for real-time threat hunting.
Installed software inventory: If you only need to confirm which systems have Microsoft Office installed, use the host_inventory_applications preset.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Happy New year!!