Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious Microsoft Office Child Process - MacOS

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Sohan G (D4rkCiph3r)Created Tue Jan 31Updated Sat Feb 0469483748-1525-4a6c-95ca-90dc8d431b68macos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ParentImage|contains:
            - 'Microsoft Word'
            - 'Microsoft Excel'
            - 'Microsoft PowerPoint'
            - 'Microsoft OneNote'
        Image|endswith:
            - '/bash'
            - '/curl'
            - '/dash'
            - '/fish'
            - '/osacompile'
            - '/osascript'
            - '/sh'
            - '/zsh'
            - '/python'
            - '/python3'
            - '/wget'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
redcanary.com
2
Resolving title…
objective-see.org
MITRE ATT&CK
Rule Metadata
Rule ID
69483748-1525-4a6c-95ca-90dc8d431b68
Status
test
Level
high
Type
Detection
Created
Tue Jan 31
Modified
Sat Feb 04
Author
Sohan G (D4rkCiph3r)
Path
rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml
Raw Tags
attack.executionattack.persistenceattack.t1059.002attack.t1137.002attack.t1204.002
View on GitHub