Suspicious Microsoft Office Child Process - MacOS

Rule Info

Name
Suspicious Microsoft Office Child Process - MacOS
Author
Sohan G (D4rkCiph3r)
Description
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
Reference
https://redcanary.com/blog/applescript/
Date
2023-01-31 00:00:00
Modified
2023-02-04 00:00:00
Id
69483748-1525-4a6c-95ca-90dc8d431b68
Tags
attack.execution attack.persistence attack.t1059.002 attack.t1137.002 attack.t1204.002 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=69483748-1525-4a6c-95ca-90dc8d431b68

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Nasreddine Bencherchali
feat: additional updates and fixes
2023-02-04
0795ed646
Nasreddine Bencherchali
fix: update metadata and logic
2023-02-01
55f16c3f8
D4rkCiph3r
Create proc_creation_macos_macros_execution.yml
2023-01-31
e4ace3d36
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022