fix(rules): Correct Process spawned from macro-enabled Microsoft Office document rule

rabbitstack · rabbitstack · commit ad4f42bd0847 · 2025-02-06T19:29:36.000+01:00
diff --git a/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml b/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml
@@ -20,10 +20,10 @@ labels:
 condition: >
   spawn_process
     and
-  ps.parent.name iin msoffice_binaries
+  ps.name iin msoffice_binaries
     and
   (
-    thread.callstack.modules imatches '*vbe?.dll'
+    thread.callstack.modules imatches ('*vbe?.dll')
       or
     thread.callstack.symbols imatches
       (

Original file line number	Diff line number	Diff line change
`@@ -20,10 +20,10 @@ labels:`
`20`	`20`	`condition: >`
`21`	`21`	`spawn_process`
`22`	`22`	`and`
`23`		`- ps.parent.name iin msoffice_binaries`
	`23`	`+ ps.name iin msoffice_binaries`
`24`	`24`	`and`
`25`	`25`	`(`
`26`		`- thread.callstack.modules imatches '*vbe?.dll'`
	`26`	`+ thread.callstack.modules imatches ('*vbe?.dll')`
`27`	`27`	`or`
`28`	`28`	`thread.callstack.symbols imatches`
`29`	`29`	`(`