From f65b578b148e9768885be93bcee449c8cd1de248 Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Tue, 29 Apr 2025 22:10:33 +0200
Subject: [PATCH] fix(rules): Use ps.name field in Macro execution via script
 interpreter

The condition on whether the Microsoft Office process is
spawned by the script interpreter should be evaluated on
the ps.name field.
---
 .../initial_access_macro_execution_via_script_interpreter.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/initial_access_macro_execution_via_script_interpreter.yml b/rules/initial_access_macro_execution_via_script_interpreter.yml
index a93ca112d..c14a6f2e4 100644
--- a/rules/initial_access_macro_execution_via_script_interpreter.yml
+++ b/rules/initial_access_macro_execution_via_script_interpreter.yml
@@ -1,6 +1,6 @@
 name: Macro execution via script interpreter
 id: 845404de-df6f-472f-bd74-72148a7f5166
-version: 1.0.2
+version: 1.0.3
 description: |
   Identifies the execution of the Windows scripting interpreter spawning
   a Microsoft Office process to execute suspicious Visual Basic macro.
@@ -18,7 +18,7 @@ labels:
 condition: >
   sequence
   maxspan 5m
-    |spawn_process and ps.parent.name iin script_interpreters and ps.child.name iin msoffice_binaries| by ps.child.uuid
+    |spawn_process and ps.name iin script_interpreters and ps.child.name iin msoffice_binaries| by ps.child.uuid
     |ps.name iin msoffice_binaries and thread.callstack.modules imatches '*vbe?.dll'
       and
      (spawn_process or (create_remote_thread) or (modify_registry) or (create_file)