Colson Wilhoit
998afcf9c4
* [Rule Tuning] MacOS Installer Package Net Event * Update rules/macos/execution_installer_package_spawned_network_event.toml * Update rules/macos/execution_installer_package_spawned_network_event.toml * Update execution_installer_package_spawned_network_event.toml just deleting a typo Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
76 lines
2.7 KiB
TOML
76 lines
2.7 KiB
TOML
[metadata]
|
|
creation_date = "2021/02/23"
|
|
maturity = "production"
|
|
updated_date = "2022/07/27"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl).
|
|
Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software.
|
|
If this rule fires it should indicate the installation of a malicious or suspicious package.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known
|
|
behavior is causing false positives, it can be excluded from the rule.
|
|
""",
|
|
]
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "MacOS Installer Package Spawns Network Event"
|
|
references = [
|
|
"https://redcanary.com/blog/clipping-silver-sparrows-wings",
|
|
"https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520",
|
|
"https://github.com/D00MFist/Mystikal"
|
|
]
|
|
risk_score = 74
|
|
rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Command and Control"]
|
|
type = "eql"
|
|
|
|
query = '''
|
|
sequence by host.id, user.id with maxspan=30s
|
|
[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")]
|
|
[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")]
|
|
'''
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1059"
|
|
name = "Command and Scripting Interpreter"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1059.007"
|
|
name = "JavaScript"
|
|
reference = "https://attack.mitre.org/techniques/T1059/007/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0002"
|
|
name = "Execution"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1071"
|
|
name = "Application Layer Protocol"
|
|
reference = "https://attack.mitre.org/techniques/T1071/"
|
|
[[rule.threat.technique.subtechnique]]
|
|
id = "T1071.001"
|
|
name = "Web Protocols"
|
|
reference = "https://attack.mitre.org/techniques/T1071/001/"
|
|
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0011"
|
|
name = "Command and Control"
|
|
reference = "https://attack.mitre.org/tactics/TA0011/"
|
|
|