From e32b39d85570e7d8866d133abff14a286eefe7d7 Mon Sep 17 00:00:00 2001 From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com> Date: Wed, 5 Apr 2023 18:28:09 +0530 Subject: [PATCH] feat: new macos rule `Suspicious Browser Child Process` (#4053) --- ...ation_macos_susp_browser_child_process.yml | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml diff --git a/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml new file mode 100644 index 000000000..2da82ca85 --- /dev/null +++ b/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml @@ -0,0 +1,78 @@ +title: Suspicious Browser Child Process - MacOS +id: 0250638a-2b28-4541-86fc-ea4c558fa0c6 +status: experimental +description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation. +references: + - https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang + - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +author: Sohan G (D4rkCiph3r) +date: 2023/04/05 +tags: + - attack.initial_access + - attack.execution + - attack.t1189 + - attack.t1203 + - attack.t1059 +logsource: + category: process_creation + product: macos +detection: + selection: + ParentImage|contains: + - 'com.apple.WebKit.WebContent' + - 'firefox' + - 'Google Chrome Helper' + - 'Google Chrome' + - 'Microsoft Edge' + - 'Opera' + - 'Safari' + - 'Tor Browser' + Image|endswith: + - '/bash' + - '/curl' + - '/dash' + - '/ksh' + - '/osascript' + - '/perl' + - '/php' + - '/pwsh' + - '/python' + - '/sh' + - '/tcsh' + - '/wget' + - '/zsh' + filter_main_generic: + CommandLine|contains: '--defaults-torrc' # Informs tor to use default config file + filter_main_ms_autoupdate: + CommandLine|contains: '/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate' # Microsoft AutoUpdate utility + filter_main_chrome: + ParentImage|contains: + - 'Google Chrome Helper' + - 'Google Chrome' + CommandLine|contains: + - '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh' # Install the Google Chrome browser + - '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_preflight.sh' # Updates the Google Chrome branding configuration files + - '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_postflight.sh' # Script that performs the post-installation tasks + filter_main_ms_edge: + ParentImage|contains: 'Microsoft Edge' + CommandLine|contains: + - 'IOPlatformExpertDevice' # Retrieves the IOPlatformUUID (parent process - Microsoft Edge) + - 'hw.model' # Retrieves model name of the computer's hardware (parent process - Microsoft Edge) + filter_main_chromerecovery: + ParentImage|contains: + - 'Google Chrome Helper' + - 'Google Chrome' + CommandLine|contains|all: + - '/Users/' + - '/Library/Application Support/Google/Chrome/recovery/' + - '/ChromeRecovery' + filter_optional_null: + # Aoids alerting for the events which do not have command-line arguments + CommandLine: null + filter_optional_empty: + # Aoids alerting for the events which do not have command-line arguments + CommandLine: '' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Legitimate browser install, update and recovery scripts +level: medium