From 84966f02a1b71cce13db22b6c348cb46560529b7 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Date: Thu, 24 Apr 2025 07:58:06 -0500
Subject: [PATCH] [Tuning] Update DPRK ByBit Hunting Queries (#4645)

* fix

* markdown generate

* adding missing streamlit hunting query

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 ...ous_executable_file_creation_via_python.md | 27 +++++-----
 ...thon_script_outbound_network_connection.md | 51 +++++++++++++++++++
 ...s_executable_file_creation_via_python.toml | 27 +++++-----
 ...on_script_outbound_network_connection.toml | 36 +++++++++++++
 4 files changed, 111 insertions(+), 30 deletions(-)
 create mode 100644 hunting/macos/docs/defense_evasion_self_deleted_python_script_outbound_network_connection.md
 create mode 100644 hunting/macos/queries/defense_evasion_self_deleted_python_script_outbound_network_connection.toml

diff --git a/hunting/macos/docs/command_and_control_suspicious_executable_file_creation_via_python.md b/hunting/macos/docs/command_and_control_suspicious_executable_file_creation_via_python.md
index 253d67733..7b7f3daf5 100644
--- a/hunting/macos/docs/command_and_control_suspicious_executable_file_creation_via_python.md
+++ b/hunting/macos/docs/command_and_control_suspicious_executable_file_creation_via_python.md
@@ -1,37 +1,34 @@
-# Unsigned or Untrusted Binary Execution via Python
+# Suspcious Executable File Creation via Python
 
 ---
 
 ## Metadata
 
 - **Author:** Elastic
-- **Description:** Detects the execution of unsigned or untrusted binaries where the parent process is a Python interpreter. Adversaries often use Python as a launcher to run untrusted payloads, typically dropped to locations like `/tmp`, `/Users/Shared`, or public directories. This behavior is indicative of custom loaders, malware staging, or post-exploitation actions.
+- **Description:** Detects suspicious creation of executable files by Python processes in commonly abused directories 
+on macOS systems. These locations, such as /Users/Shared, /tmp, or /private/tmp, are frequently used by adversaries 
+and post-exploitation frameworks to stage or drop payloads. The detection leverages the ELF or Mach-O magic bytes 
+to confirm executables are written to disk.
 
 - **UUID:** `9aaf1113-cf7a-4fd7-b796-f6456fdaffb5`
 - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
 - **Language:** `[EQL]`
-- **Source File:** [Unsigned or Untrusted Binary Execution via Python](../queries/command_and_control_suspicious_executable_file_creation_via_python.toml)
+- **Source File:** [Suspcious Executable File Creation via Python](../queries/command_and_control_suspicious_executable_file_creation_via_python.toml)
 
 ## Query
 
 ```sql
-process where event.type == "start" and event.action == "exec" and
-  (process.code_signature.trusted == false or process.code_signature.exists == false) and
-  process.parent.name like~ "python*" and
-  (
-    process.executable like "/Users/Shared/*" or
-    process.executable like "/tmp/*" or
-    process.executable like "/private/tmp/*" or
-    process.executable like "/Users/*/Public/*" or
-    process.name like ".*"
-  )
+file where event.action == "modification" and
+  process.name like~ "python*" and
+  file.Ext.header_bytes like~ ("cffaedfe*", "cafebabe*") and
+  file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Users/*/Public/*") and
+  not file.extension in ("dylib", "so")
 ```
 
 ## Notes
 
-- Execution of untrusted binaries from Python in shared or temporary directories is rare in normal operations.
+- Creation or modification of executable binaries in these directories is odd and rare in normal operations.
 - This hunt is useful for detecting dropper-style behavior during post-exploitation or initial access.
-- You may wish to enrich with file.hash or process.args to gain more triage context.
 
 ## MITRE ATT&CK Techniques
 
diff --git a/hunting/macos/docs/defense_evasion_self_deleted_python_script_outbound_network_connection.md b/hunting/macos/docs/defense_evasion_self_deleted_python_script_outbound_network_connection.md
new file mode 100644
index 000000000..4b774f27b
--- /dev/null
+++ b/hunting/macos/docs/defense_evasion_self_deleted_python_script_outbound_network_connection.md
@@ -0,0 +1,51 @@
+# Self-Deleted Python Script Outbound Network Connection
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** Detects an outbound network connection by a Python script that was executed and deleted from disk. A recent DPRK 
+initial access campaign used a Python script that self 
+deletes and continues operating in memory.
+- **UUID:** `04d4b300-bf2f-4e86-8fab-c51502a1db32`
+- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint)
+- **Language:** `[EQL]`
+- **Source File:** [Self-Deleted Python Script Outbound Network Connection](../queries/defense_evasion_self_deleted_python_script_outbound_network_connection.toml)
+
+## Query
+
+```sql
+sequence by process.entity_id with maxspan=10s
+[file where event.action == "deletion" and file.extension in ("py", "pyc") and process.name like~ "python*"] 
+[network where event.type == "start" and
+   not cidrmatch(destination.ip, 
+       "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/4", "198.19.0.0/16", "192.18.0.0/15", 
+       "192.0.0.0/24", "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", 
+       "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", 
+       "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24",
+       "::1", "FE80::/10", "FF00::/8")]
+```
+
+## Notes
+
+- This hunt identifies a deleted Python script followed immediately followed by external network activity from the same process.
+- Outbound connection filtering avoids internal IPs and infrastructure — can be tuned to your network space.
+
+## MITRE ATT&CK Techniques
+
+- [T1059.006](https://attack.mitre.org/techniques/T1059/006)
+- [T1105](https://attack.mitre.org/techniques/T1105)
+- [T1070.004](https://attack.mitre.org/techniques/T1070/004)
+
+## References
+
+- https://www.elastic.co/security-labs/dprk-code-of-conduct
+- https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/
+- https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34
+- https://x.com/safe/status/1897663514975649938
+- https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/
+
+## License
+
+- `Elastic License v2`
diff --git a/hunting/macos/queries/command_and_control_suspicious_executable_file_creation_via_python.toml b/hunting/macos/queries/command_and_control_suspicious_executable_file_creation_via_python.toml
index 655656d8a..57442250a 100644
--- a/hunting/macos/queries/command_and_control_suspicious_executable_file_creation_via_python.toml
+++ b/hunting/macos/queries/command_and_control_suspicious_executable_file_creation_via_python.toml
@@ -1,31 +1,28 @@
 [hunt]
 author = "Elastic"
-name = "Unsigned or Untrusted Binary Execution via Python"
+name = "Suspcious Executable File Creation via Python"
 uuid = "9aaf1113-cf7a-4fd7-b796-f6456fdaffb5"
 description = """
-Detects the execution of unsigned or untrusted binaries where the parent process is a Python interpreter. Adversaries often use Python as a launcher to run untrusted payloads, typically dropped to locations like `/tmp`, `/Users/Shared`, or public directories. This behavior is indicative of custom loaders, malware staging, or post-exploitation actions.
+Detects suspicious creation of executable files by Python processes in commonly abused directories 
+on macOS systems. These locations, such as /Users/Shared, /tmp, or /private/tmp, are frequently used by adversaries 
+and post-exploitation frameworks to stage or drop payloads. The detection leverages the ELF or Mach-O magic bytes 
+to confirm executables are written to disk.
 """
 integration = ["endpoint"]
 language = ["EQL"]
 license = "Elastic License v2"
 mitre = ["T1059.006", "T1105"]
 notes = [
-  "Execution of untrusted binaries from Python in shared or temporary directories is rare in normal operations.",
-  "This hunt is useful for detecting dropper-style behavior during post-exploitation or initial access.",
-  "You may wish to enrich with file.hash or process.args to gain more triage context."
+  "Creation or modification of executable binaries in these directories is odd and rare in normal operations.",
+  "This hunt is useful for detecting dropper-style behavior during post-exploitation or initial access."
 ]
 query = [
 '''
-process where event.type == "start" and event.action == "exec" and
-  (process.code_signature.trusted == false or process.code_signature.exists == false) and
-  process.parent.name like~ "python*" and
-  (
-    process.executable like "/Users/Shared/*" or
-    process.executable like "/tmp/*" or
-    process.executable like "/private/tmp/*" or
-    process.executable like "/Users/*/Public/*" or
-    process.name like ".*"
-  )
+file where event.action == "modification" and
+  process.name like~ "python*" and
+  file.Ext.header_bytes like~ ("cffaedfe*", "cafebabe*") and
+  file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Users/*/Public/*") and
+  not file.extension in ("dylib", "so")
 '''
 ]
 references = [
diff --git a/hunting/macos/queries/defense_evasion_self_deleted_python_script_outbound_network_connection.toml b/hunting/macos/queries/defense_evasion_self_deleted_python_script_outbound_network_connection.toml
new file mode 100644
index 000000000..27a3e6fad
--- /dev/null
+++ b/hunting/macos/queries/defense_evasion_self_deleted_python_script_outbound_network_connection.toml
@@ -0,0 +1,36 @@
+[hunt]
+author = "Elastic"
+name = "Self-Deleted Python Script Outbound Network Connection"
+uuid = "04d4b300-bf2f-4e86-8fab-c51502a1db32"
+description = """
+Detects an outbound network connection by a Python script that was executed and deleted from disk. A recent DPRK 
+initial access campaign used a Python script that self 
+deletes and continues operating in memory."""
+integration = ["endpoint"]
+language = ["EQL"]
+license = "Elastic License v2"
+mitre = ["T1059.006", "T1105", "T1070.004"]
+notes = [
+  "This hunt identifies a deleted Python script followed immediately followed by external network activity from the same process.",
+  "Outbound connection filtering avoids internal IPs and infrastructure — can be tuned to your network space."
+]
+query = [
+'''
+sequence by process.entity_id with maxspan=10s
+[file where event.action == "deletion" and file.extension in ("py", "pyc") and process.name like~ "python*"] 
+[network where event.type == "start" and
+   not cidrmatch(destination.ip, 
+       "240.0.0.0/4", "233.252.0.0/24", "224.0.0.0/4", "198.19.0.0/16", "192.18.0.0/15", 
+       "192.0.0.0/24", "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", 
+       "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", 
+       "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24",
+       "::1", "FE80::/10", "FF00::/8")]
+'''
+]
+references = [
+  "https://www.elastic.co/security-labs/dprk-code-of-conduct",
+  "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
+  "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34",
+  "https://x.com/safe/status/1897663514975649938",
+  "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/"
+]
\ No newline at end of file