And explore in your test environment:
Upgrade Sysmon (for ProcessTampering)
Office 2013 Download Link: https://mega.nz/file/EDwAHQzT#AnEX1EA2jpq7Ez_zXAGK6gOLMYlVz_VR4CulDmzH8Cw
*Note to enable DetectOnly when installing Office
VBA macro codes:
https://gist.github.com/real-yj98/0a2eae52293860646c3900332c88c982
Description:
Use a VBA macro to download a payload from the Internet to spawn calc.exe with a spoofed parent i.e. explorer.exe and command line.
How is it achieved:
Retrieve the PID of a legitimate-looking process i.e. explorer.exe
Create a new process (such as powershell.exe) with this process as a parent, with a legitimate looking command line, and in a suspended state
Overwrite the process command line in the PEB
Resume the process