Suspicious Microsoft Office Child Process - MacOS
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
Sigma rule (View on GitHub)
1title: Suspicious Microsoft Office Child Process - MacOS
2id: 69483748-1525-4a6c-95ca-90dc8d431b68
3status: test
4description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
5references:
6 - https://redcanary.com/blog/applescript/
7 - https://objective-see.org/blog/blog_0x4B.html
8author: Sohan G (D4rkCiph3r)
9date: 2023-01-31
10modified: 2023-02-04
11tags:
12 - attack.execution
13 - attack.persistence
14 - attack.t1059.002
15 - attack.t1137.002
16 - attack.t1204.002
17logsource:
18 product: macos
19 category: process_creation
20detection:
21 selection:
22 ParentImage|contains:
23 - 'Microsoft Word'
24 - 'Microsoft Excel'
25 - 'Microsoft PowerPoint'
26 - 'Microsoft OneNote'
27 Image|endswith:
28 - '/bash'
29 - '/curl'
30 - '/dash'
31 - '/fish'
32 - '/osacompile'
33 - '/osascript'
34 - '/sh'
35 - '/zsh'
36 - '/python'
37 - '/python3'
38 - '/wget'
39 condition: selection
40falsepositives:
41 - Unknown
42level: high
References
-
Experts from Red Canary, Jamf, and MITRE ATT&CK opine on ways to detect and prevent manipulation of macOS’s scripting architecture.
Read More -
Office Drama on macOS infecting macOS via macro-laden documents and 0days by: Patrick Wardle / August 4, 2020 In this blog post complements my recent BlackHat/DefCon talk, "Office Drama on macOS". ...
Read More
Related rules
- Suspicious Execution via macOS Script Editor
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- Active Directory Kerberos DLL Loaded Via Office Application