[Rule Tuning] Suspicious macOS MS Office Child Process (#1022)

* [Rule Tuning] Suspicious macOS MS Office Child Process * comment for exclusions * Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
2021-03-19 09:48:27 +01:00
parent 8e139012f7
commit bcc8b6922c
1 changed files with 13 additions and 3 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2021/03/09"

 [rule]
 author = ["Elastic"]
@@ -47,7 +47,18 @@ process where event.type in ("start", "process_started") and
   "mv", 
   "base64", 
   "launchctl"
- )
+  ) and
+  /* noisy false positives related to product version discovery and office errors reporting */
+  not process.args:
+    (
+      "ProductVersion",
+      "hw.model",
+      "ioreg",
+      "ProductName",
+      "ProductUserVisibleVersion",
+      "ProductBuildVersion",
+      "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting"
+    )
 '''


@@ -68,4 +79,3 @@ reference = "https://attack.mitre.org/techniques/T1566/001/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-