2021-02-26 09:46:01 -06:00
[ metadata ]
creation_date = "2021/02/23"
maturity = "production"
2022-08-21 22:29:39 -03:00
updated_date = "2022/08/17"
2021-02-26 09:46:01 -06:00
[ rule ]
author = [ "Elastic" ]
description = "" "
2022-07-28 15:16:10 -05:00
Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl).
Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software.
If this rule fires it should indicate the installation of a malicious or suspicious package.
2021-02-26 09:46:01 -06:00
" ""
false_positives = [
"" "
Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known
behavior is causing false positives, it can be excluded from the rule.
" "" ,
]
from = "now-9m"
index = [ "logs-endpoint.events.*" ]
language = "eql"
2021-03-03 22:12:11 -09:00
license = "Elastic License v2"
2022-07-28 15:16:10 -05:00
name = "MacOS Installer Package Spawns Network Event"
2021-06-15 09:22:59 -04:00
references = [
"https://redcanary.com/blog/clipping-silver-sparrows-wings" ,
2022-07-28 15:16:10 -05:00
"https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520" ,
"https://github.com/D00MFist/Mystikal"
2021-06-15 09:22:59 -04:00
]
2022-08-21 22:29:39 -03:00
risk_score = 47
2021-02-26 09:46:01 -06:00
rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c"
severity = "medium"
2022-07-22 16:39:25 -04:00
tags = [ "Elastic" , "Host" , "macOS" , "Threat Detection" , "Execution" , "Command and Control" ]
2021-02-26 09:46:01 -06:00
type = "eql"
query = '' '
2022-07-28 15:16:10 -05:00
sequence by host.id, user.id with maxspan=30s
[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")]
[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")]
2021-02-26 09:46:01 -06:00
' ''
[ [ rule . threat ] ]
framework = "MITRE ATT&CK"
[ [ rule . threat . technique ] ]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[ [ rule . threat . technique . subtechnique ] ]
id = "T1059.007"
2021-08-04 14:16:10 -08:00
name = "JavaScript"
2021-02-26 09:46:01 -06:00
reference = "https://attack.mitre.org/techniques/T1059/007/"
[ rule . threat . tactic ]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[ [ rule . threat ] ]
framework = "MITRE ATT&CK"
[ [ rule . threat . technique ] ]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"
[ [ rule . threat . technique . subtechnique ] ]
id = "T1071.001"
name = "Web Protocols"
reference = "https://attack.mitre.org/techniques/T1071/001/"
[ rule . threat . tactic ]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
2021-03-03 22:12:11 -09:00
