Working with a parent-child relationship

This topic addresses whether malware is delivered as a script in an email attachment or in a document.

We want to create a rule monitoring execution of some sort of script interpreter (executing scripts) originating from Microsoft Office application, that is, some document or email.

Rule

<?xml version="1.0" encoding="utf-8"?>

<rule>
<body>
<name>MS Office application has triggered script interpreter [D807]</name>
<severity>Warning</severity>
<parentprocess>
<operator type="AND">
   <condition component="LiveGrid" property="Popularity" condition="greater" value="10000" />
   <operator type="OR">
<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="WINWORD" />
<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="EXCEL" />
<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="OUTLOOK" />
<condition component="FileItem" property="FileNameWithoutExtension" condition="is" value="POWERPNT" />
   </operator>
</operator>
</parentprocess>

Things to notice in the rule example above:

1.We used process to identify the execution of the script interpreter and parentprocess to identify Microsoft Office application, so "Process executed by" is modeled by the process – parentprocess relation.

2.We used the LiveGrid component with the Popularity property in the parentprocess section to filter out programs which are not Microsoft Office applications (because they have higher popularity) but have the same name.

3.We used a similar approach in the process section, where we also added the condition that the program was executed from the Windows directory to ensure we are dealing with a real script interpreter.

˄˅