I just want to add one thing to the discussion if it’s okay.

You can use API Monitoring tools and intercept NtCreateUserProcess (NTDLL) and NtResumeThread (NTDLL). When NtCreateUserProcess break-point/hook is triggered then you can check the image file path/command line information to see the PE on disk being executed for a process spawn, and the NtResumeThread interception prevents the new process from executing any of it’s own code until you’re ready to analyse it.

Microsoft Office exploits tend to abuse the privilege to download additional malware and then execute it/execute built-in utilities like PowerShell so I thought it could be helpful for me to mention this. It can help you easily intercept process creation if it happens with a malicious MS document.