From ad4f42bd08477ecb9d7cee620b4d86c40c1ae7fa Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Thu, 6 Feb 2025 19:29:36 +0100
Subject: [PATCH] fix(rules): Correct Process spawned from macro-enabled
 Microsoft Office document rule

---
 ...s_spawned_from_macro_enabled_microsoft_office_document.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml b/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml
index 8d63b2ea8..5c2cde268 100644
--- a/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml
+++ b/rules/initial_access_process_spawned_from_macro_enabled_microsoft_office_document.yml
@@ -20,10 +20,10 @@ labels:
 condition: >
   spawn_process
     and
-  ps.parent.name iin msoffice_binaries
+  ps.name iin msoffice_binaries
     and
   (
-    thread.callstack.modules imatches '*vbe?.dll'
+    thread.callstack.modules imatches ('*vbe?.dll')
       or
     thread.callstack.symbols imatches
       (