Product
medium
advisory
Suspicious macOS MS Office Child Process
2 rules 6 TTPsThis rule identifies suspicious child processes of Microsoft Office applications on macOS, which often result from exploitation or malicious macros, by detecting unexpected processes like curl, bash, osascript, and python spawned by Office apps, while filtering out false positives related to product version discovery, error reporting, and legitimate software.
Microsoft Word +7
endpoint
macos
initial_access
microsoft_office
2r
6t
medium
advisory
Suspicious MS Office Child Process
2 rules 18 TTPsDetects suspicious child processes of Microsoft Office applications, indicating potential exploitation or malicious macros for initial access, defense evasion, and execution.
Microsoft Office +4
initial-access
defense-evasion
execution
discovery
windows
2r
18t