From bcc8b6922cd791e55158523ecc38d0d17c986010 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Fri, 19 Mar 2021 09:48:27 +0100
Subject: [PATCH] [Rule Tuning] Suspicious macOS MS Office Child Process
 (#1022)

* [Rule Tuning] Suspicious macOS MS Office Child Process

* comment for exclusions

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
---
 ...s_suspicious_mac_ms_office_child_process.toml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
index a350fde02..d2fbc37c0 100644
--- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
+++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/03/08"
+updated_date = "2021/03/09"
 
 [rule]
 author = ["Elastic"]
@@ -47,7 +47,18 @@ process where event.type in ("start", "process_started") and
    "mv", 
    "base64", 
    "launchctl"
- )
+  ) and
+  /* noisy false positives related to product version discovery and office errors reporting */
+  not process.args:
+    (
+      "ProductVersion",
+      "hw.model",
+      "ioreg",
+      "ProductName",
+      "ProductUserVisibleVersion",
+      "ProductBuildVersion",
+      "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting"
+    )
 '''
 
 
@@ -68,4 +79,3 @@ reference = "https://attack.mitre.org/techniques/T1566/001/"
 id = "TA0001"
 name = "Initial Access"
 reference = "https://attack.mitre.org/tactics/TA0001/"
-