Suspicious macOS MS Office Child Process
Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/04"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and
13Excel). These child processes are often launched during exploitation of Office applications or by documents with
14malicious macros.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious macOS MS Office Child Process"
21references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"]
22risk_score = 47
23rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "eql"
28
29query = '''
30process where host.os.type == "macos" and event.type in ("start", "process_started") and
31 process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and
32 process.name:
33 (
34 "bash",
35 "dash",
36 "sh",
37 "tcsh",
38 "csh",
39 "zsh",
40 "ksh",
41 "fish",
42 "python*",
43 "perl*",
44 "php*",
45 "osascript",
46 "pwsh",
47 "curl",
48 "wget",
49 "cp",
50 "mv",
51 "base64",
52 "launchctl"
53 ) and
54 /* noisy false positives related to product version discovery and office errors reporting */
55 not process.args:
56 (
57 "ProductVersion",
58 "hw.model",
59 "ioreg",
60 "ProductName",
61 "ProductUserVisibleVersion",
62 "ProductBuildVersion",
63 "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting"
64 )
65'''
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1566"
72name = "Phishing"
73reference = "https://attack.mitre.org/techniques/T1566/"
74[[rule.threat.technique.subtechnique]]
75id = "T1566.001"
76name = "Spearphishing Attachment"
77reference = "https://attack.mitre.org/techniques/T1566/001/"
78
79
80
81[rule.threat.tactic]
82id = "TA0001"
83name = "Initial Access"
84reference = "https://attack.mitre.org/tactics/TA0001/"
References
-
Macro malware have been around for quite some time, but have mostly just been a nuisance to Mac users. Unfortunately, that has now changed.
Read More
Related rules
- Suspicious Browser Child Process
- Access of Stored Browser Credentials
- Access to Keychain Credentials Directories
- Apple Script Execution followed by Network Connection
- Apple Scripting Execution with Administrator Privileges