fix(rules): Use ps.name field in Macro execution via script interpreter

The condition on whether the Microsoft Office process is
spawned by the script interpreter should be evaluated on
the ps.name field.

Author: rabbitstack

rules/initial_access_macro_execution_via_script_interpreter.yml

@@ -1,6 +1,6 @@
 name: Macro execution via script interpreter
 id: 845404de-df6f-472f-bd74-72148a7f5166
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies the execution of the Windows scripting interpreter spawning
   a Microsoft Office process to execute suspicious Visual Basic macro.
@@ -18,7 +18,7 @@ labels:
 condition: >
   sequence
   maxspan 5m
-    |spawn_process and ps.parent.name iin script_interpreters and ps.child.name iin msoffice_binaries| by ps.child.uuid
+    |spawn_process and ps.name iin script_interpreters and ps.child.name iin msoffice_binaries| by ps.child.uuid
     |ps.name iin msoffice_binaries and thread.callstack.modules imatches '*vbe?.dll'
       and
      (spawn_process or (create_remote_thread) or (modify_registry) or (create_file)