forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathinitial_access_suspicious_mac_ms_office_child_process.toml
More file actions
85 lines (77 loc) · 2.17 KB
/
initial_access_suspicious_mac_ms_office_child_process.toml
File metadata and controls
85 lines (77 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
[metadata]
creation_date = "2021/01/04"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
[rule]
author = ["Elastic"]
description = """
Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and
Excel). These child processes are often launched during exploitation of Office applications or by documents with
malicious macros.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious macOS MS Office Child Process"
references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"]
risk_score = 47
rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where event.type in ("start", "process_started") and
process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and
process.name:
(
"bash",
"dash",
"sh",
"tcsh",
"csh",
"zsh",
"ksh",
"fish",
"python*",
"perl*",
"php*",
"osascript",
"pwsh",
"curl",
"wget",
"cp",
"mv",
"base64",
"launchctl"
) and
/* noisy false positives related to product version discovery and office errors reporting */
not process.args:
(
"ProductVersion",
"hw.model",
"ioreg",
"ProductName",
"ProductUserVisibleVersion",
"ProductBuildVersion",
"/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"
[[rule.threat.technique.subtechnique]]
id = "T1566.001"
name = "Spearphishing Attachment"
reference = "https://attack.mitre.org/techniques/T1566/001/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"