From cc5bce20359d2a64e74ab1ed52fb655b9f21d9e7 Mon Sep 17 00:00:00 2001
From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com>
Date: Sat, 18 Feb 2023 19:04:22 +0530
Subject: [PATCH 1/6] Create
 proc_creation_macos_susp_installer_child_process.yml

Summary of the Pull Request:
The pull request adds a new rule for macOS (T1059, T1059.007, T1071, T1071.001)

Detailed Description of the Pull Request / Additional comments:
The rule helps detect the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters. The legitimate softwares also use scripts(preinstall and postinstall). Baselining or application allow-listing monitoring helps reduce the false positives

Example Log Event (In Case of FP Fixes)
NA

Relevant Issues (In Case of Issue Fixes)
NA
---
 ...ion_macos_susp_installer_child_process.yml | 46 +++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml

diff --git a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
new file mode 100644
index 000000000..2d02728c1
--- /dev/null
+++ b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
@@ -0,0 +1,46 @@
+title: Suspicious Installer Package child process
+id: e0cfaecd-602d-41af-988d-f6ccebb2af26
+status: experimental
+description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
+references:
+    - https://redcanary.com/blog/clipping-silver-sparrows-wings/
+    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
+author: Sohan G (D4rkCiph3r)
+date: 2023/02/18
+tags:
+    - attack.t1059
+    - attack.t1059.007
+    - attack.t1071 
+    - attack.t1071.001
+    - attack.execution
+    - attack.command_and_controls
+logsource:
+    category: process_creation
+    product: macos
+detection:
+    selection1:
+        ParentImage|contains:
+            - 'package_script_service'
+            - 'installer'
+    selection2:
+        Image|endswith:
+            - '/sh'
+            - '/bash'
+            - '/dash'
+            - '/python'
+            - '/ruby'
+            - '/perl'
+            - '/php'
+            - '/javascript'
+            - '/osascript'
+            - '/tclsh'
+            - '/curl'
+            - '/wget'
+    selection3:
+        CommandLine|contains:
+            - 'preinstall'
+            - 'postinstall'
+    condition: all of selection*
+falsepositives:
+    - Legitimate software uses the scripts(preinstall, postinstall)
+level: medium

From c016748316eba2653e23f11781750a305b4fed0b Mon Sep 17 00:00:00 2001
From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com>
Date: Sat, 18 Feb 2023 19:10:01 +0530
Subject: [PATCH 2/6] Update
 proc_creation_macos_susp_installer_child_process.yml

---
 .../proc_creation_macos_susp_installer_child_process.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
index 2d02728c1..b10354303 100644
--- a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
+++ b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
@@ -13,7 +13,7 @@ tags:
     - attack.t1071 
     - attack.t1071.001
     - attack.execution
-    - attack.command_and_controls
+    - attack.command_and_control
 logsource:
     category: process_creation
     product: macos

From cd16dff85dd25c0aa3479dbf485db7ff6f1a5180 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Mon, 20 Feb 2023 06:32:47 +0100
Subject: [PATCH 3/6] Update
 rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml

---
 .../proc_creation_macos_susp_installer_child_process.yml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
index b10354303..dc22d6c4c 100644
--- a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
+++ b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
@@ -1,4 +1,4 @@
-title: Suspicious Installer Package child process
+title: Suspicious Installer Package Child Process
 id: e0cfaecd-602d-41af-988d-f6ccebb2af26
 status: experimental
 description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

From 97e27173435ba454bbc10ab8d9d3b20a94f4f98e Mon Sep 17 00:00:00 2001
From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com>
Date: Mon, 20 Feb 2023 18:19:43 +0530
Subject: [PATCH 4/6] Update
 proc_creation_macos_susp_installer_child_process.yml

Updated the selection syntax
---
 .../proc_creation_macos_susp_installer_child_process.yml    | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
index dc22d6c4c..b0457c72c 100644
--- a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
+++ b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
@@ -18,11 +18,10 @@ logsource:
     category: process_creation
     product: macos
 detection:
-    selection1:
+    selection_installer:
         ParentImage|contains:
             - 'package_script_service'
             - 'installer'
-    selection2:
         Image|endswith:
             - '/sh'
             - '/bash'
@@ -36,11 +35,10 @@ detection:
             - '/tclsh'
             - '/curl'
             - '/wget'
-    selection3:
         CommandLine|contains:
             - 'preinstall'
             - 'postinstall'
-    condition: all of selection*
+    condition: selection_installer
 falsepositives:
     - Legitimate software uses the scripts(preinstall, postinstall)
 level: medium

From 8220d9b5b23b7f42f22a70837a1c12977d7b09f0 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 21 Feb 2023 23:17:09 +0100
Subject: [PATCH 5/6] fix: add slash to image field

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 .../proc_creation_macos_susp_installer_child_process.yml    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
index b0457c72c..248d5d216 100644
--- a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
+++ b/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
@@ -19,9 +19,9 @@ logsource:
     product: macos
 detection:
     selection_installer:
-        ParentImage|contains:
-            - 'package_script_service'
-            - 'installer'
+        ParentImage|endswith:
+            - '/package_script_service'
+            - '/installer'
         Image|endswith:
             - '/sh'
             - '/bash'

From 275748b671790b188a9e351391ba9cc8b2190c77 Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 21 Feb 2023 23:29:47 +0100
Subject: [PATCH 6/6] fix: add missing space + rename file

---
 ...l => proc_creation_macos_installer_susp_child_process.yml} | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename rules/macos/process_creation/{proc_creation_macos_susp_installer_child_process.yml => proc_creation_macos_installer_susp_child_process.yml} (93%)

diff --git a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml
similarity index 93%
rename from rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
rename to rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml
index 248d5d216..e4b5b8bdd 100644
--- a/rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
+++ b/rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml
@@ -10,7 +10,7 @@ date: 2023/02/18
 tags:
     - attack.t1059
     - attack.t1059.007
-    - attack.t1071 
+    - attack.t1071
     - attack.t1071.001
     - attack.execution
     - attack.command_and_control
@@ -40,5 +40,5 @@ detection:
             - 'postinstall'
     condition: selection_installer
 falsepositives:
-    - Legitimate software uses the scripts(preinstall, postinstall)
+    - Legitimate software uses the scripts (preinstall, postinstall)
 level: medium