Malicious Child Process from Office Application — APT3 Spear-Phishing Pattern

Detects the execution of command interpreters and download tools as child processes of Office and Acrobat applications, an initial access pattern documented in the APT3 profile via spear-phishing with malicious documents that execute macros or embedded exploits to deploy second-stage payloads.