Specific areas you will look into...

And explore in your test environment:

• https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/ (PEB manipulation to spoof...)
• Investigate Sysmon Process Tampering to check whether it reports with such tampering (It doesn't)
• Upgrade Sysmon to v13.20 refer to the page below

Upgrade Sysmon (for ProcessTampering)

YJ's Findings

Office 2013 Download Link: https://mega.nz/file/EDwAHQzT#AnEX1EA2jpq7Ez_zXAGK6gOLMYlVz_VR4CulDmzH8Cw

*Note to enable DetectOnly when installing Office

Offensive Step Documentation

VBA macro codes:

https://gist.github.com/real-yj98/0a2eae52293860646c3900332c88c982

Description:

Use a VBA macro to download a payload from the Internet to spawn calc.exe with a spoofed parent i.e. explorer.exe and command line.

How is it achieved:

1. Retrieve the PID of a legitimate-looking process i.e. explorer.exe

   

2. Create a new process (such as powershell.exe) with this process as a parent, with a legitimate looking command line, and in a suspended state

   

3. Overwrite the process command line in the PEB

   

4. Resume the process