01-01-2026 06:17 AM - edited 01-03-2026 11:37 PM
Hi,
Please, any idea to known executable from Microsoft Office Ex: .docx file with XQL query.
Best regards.
01-06-2026 07:22 AM
Hello @Bouzeghoub ,
Greetings for the day!
To identify executables associated with Microsoft Office activity (such as a .docx file being opened in Word) using XQL, you should query the xdr_data dataset. This dataset tracks real-time endpoint activity, including process execution and file operations.
In the context of Microsoft Office, the primary processes responsible for handling files are:
winword.exe – Word documents (.doc, .docx)
excel.exe – Excel spreadsheets (.xls, .xlsx)
powerpnt.exe – PowerPoint presentations (.ppt, .pptx)
Attackers often use malicious macros in Office documents to spawn secondary processes. You can use the following query to identify when an Office application (the actor) starts a new process:
dataset = xdr_data
| filter actor_process_image_name in ("winword.exe", "excel.exe", "powerpnt.exe")
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START
| fields _time, agent_hostname, actor_process_image_name, action_process_image_name, action_process_image_command_lineYou can also hunt for cases where an Office application creates an executable file (.exe) on disk, which is a common indicator of a dropped payload:
dataset = xdr_data
| filter actor_process_image_name in ("winword.exe", "excel.exe", "powerpnt.exe")
| filter event_type = ENUM.FILE and action_file_extension = "exe"
| fields _time, agent_hostname, actor_process_image_name, action_file_name, action_file_path, action_file_sha256To determine which document (for example, invoice.docx) triggered the activity, inspect the Office process command line or related file-open events:
dataset = xdr_data
| filter actor_process_image_name = "winword.exe"
| filter actor_process_command_line contains ".docx"
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START
| fields _time, agent_hostname, actor_process_command_line, action_process_image_name, action_process_image_command_lineProcess execution tracking: Use the xdr_data dataset or the xdr_process preset for real-time threat hunting.
Installed software inventory: If you only need to confirm which systems have Microsoft Office installed, use the host_inventory_applications preset.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
01-06-2026 07:22 AM
Hello @Bouzeghoub ,
Greetings for the day!
To identify executables associated with Microsoft Office activity (such as a .docx file being opened in Word) using XQL, you should query the xdr_data dataset. This dataset tracks real-time endpoint activity, including process execution and file operations.
In the context of Microsoft Office, the primary processes responsible for handling files are:
winword.exe – Word documents (.doc, .docx)
excel.exe – Excel spreadsheets (.xls, .xlsx)
powerpnt.exe – PowerPoint presentations (.ppt, .pptx)
Attackers often use malicious macros in Office documents to spawn secondary processes. You can use the following query to identify when an Office application (the actor) starts a new process:
dataset = xdr_data
| filter actor_process_image_name in ("winword.exe", "excel.exe", "powerpnt.exe")
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START
| fields _time, agent_hostname, actor_process_image_name, action_process_image_name, action_process_image_command_lineYou can also hunt for cases where an Office application creates an executable file (.exe) on disk, which is a common indicator of a dropped payload:
dataset = xdr_data
| filter actor_process_image_name in ("winword.exe", "excel.exe", "powerpnt.exe")
| filter event_type = ENUM.FILE and action_file_extension = "exe"
| fields _time, agent_hostname, actor_process_image_name, action_file_name, action_file_path, action_file_sha256To determine which document (for example, invoice.docx) triggered the activity, inspect the Office process command line or related file-open events:
dataset = xdr_data
| filter actor_process_image_name = "winword.exe"
| filter actor_process_command_line contains ".docx"
| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START
| fields _time, agent_hostname, actor_process_command_line, action_process_image_name, action_process_image_command_lineProcess execution tracking: Use the xdr_data dataset or the xdr_process preset for real-time threat hunting.
Installed software inventory: If you only need to confirm which systems have Microsoft Office installed, use the host_inventory_applications preset.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Happy New year!!
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
