Discovery Command Output Written to Suspicious File

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when a discovery command is executed followed by the immediate modification of a suspicious file via 
 11the same process. Many types of malware execute discovery commands, save the output to a file, and then 
 12exfiltrate that file via their C2 channel.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Discovery Command Output Written to Suspicious File"
 19note = """ ## Triage and analysis
 20
 21> **Disclaimer**:
 22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 23
 24### Investigating Discovery Command Output Written to Suspicious File
 25
 26This rule flags a macOS discovery utility launched from an interactive shell and, within seconds, the same process writing to an unusual or hidden file location, indicating staged reconnaissance for later theft. Adversaries commonly run commands like `whoami`, `ifconfig`, `dscl`, or `system_profiler` and redirect output into `/tmp`, `/Users/Shared`, or a dotfile path to bundle host details before exfiltrating the collected text.
 27
 28### Possible investigation steps
 29
 30- Review the created/modified file’s contents, size, and timestamps to confirm it contains discovery output and whether it is being appended across multiple executions.  
 31- Pivot from the initiating process to identify subsequent child processes or shell commands that compress, encrypt, move, or delete the file, indicating staging and cleanup.  
 32- Examine concurrent network activity from the same process tree for outbound connections, file uploads, or suspicious DNS/HTTP requests immediately after the write event.  
 33- Validate the interactive session context by correlating to the logged-in user, terminal/TTY (if available), remote access artifacts (SSH/VPN/remote management), and recent authentication events for that account.  
 34- Hunt on the host for related staging patterns such as additional hidden files in common drop locations, recent archive creation, or persistence changes (LaunchAgents/LaunchDaemons/crontab) around the alert time.
 35
 36### False positive analysis
 37
 38- An administrator or troubleshooting script run from bash/zsh may execute built-in discovery commands (e.g., `system_profiler`, `ifconfig`, `dscl`) and redirect the output into `/tmp`, `/private/tmp`, or `/Users/Shared` as a temporary log or support bundle artifact.  
 39- A login/profile shell customization (e.g., `.zshrc`/`.bash_profile`) or local diagnostic routine may run `whoami`/`arch`/`csrutil` and append results into a hidden dotfile path (e.g., `/*/.*`) for auditing or environment validation, creating a short command-then-write pattern.
 40
 41### Response and remediation
 42
 43- Isolate the macOS host from the network and suspend or terminate the implicated shell/process tree that executed the discovery command and immediately wrote into locations like `/tmp`, `/Users/Shared`, or hidden dotfiles to prevent further staging or exfiltration.  
 44- Quarantine the written file(s) and any adjacent artifacts (archives, encrypted blobs, renamed copies) from the same directories, preserve them for analysis, and remove the staged data once collection is complete.  
 45- Identify and eradicate the launch point by reviewing the invoking shell history and user startup scripts (e.g., `.zshrc`, `.bash_profile`) for redirection or scripted discovery, and delete any associated persistence (LaunchAgents/LaunchDaemons, cron entries) tied to the same user or file path.  
 46- Rotate credentials and invalidate active sessions for the logged-in user that ran the command, and audit recent remote access methods (SSH, remote management, VPN) used on the host to ensure the account was not compromised.  
 47- Restore the host to a known-good state by reinstalling or reimaging if tampering is suspected, then monitor for re-creation of the same suspicious file paths and repeat discovery-to-file-write behavior from any interactive shell.  
 48- Escalate to IR leadership immediately if the staged file contains host/user inventory data and there is evidence of outbound transfer attempts (new external connections, upload utilities like `curl`/`scp`, or rapid archive creation) following the write event.
 49"""
 50risk_score = 47
 51rule_id = "60da1bd7-c0b9-4ba2-b487-50a672274c04"
 52severity = "medium"
 53tags = [
 54    "Domain: Endpoint",
 55    "OS: macOS",
 56    "Use Case: Threat Detection",
 57    "Tactic: Collection",
 58    "Tactic: Discovery",
 59    "Data Source: Elastic Defend",
 60    "Resources: Investigation Guide",
 61]
 62type = "eql"
 63query = '''
 64sequence by process.entity_id with maxspan=15s
 65  [process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
 66    process.parent.name in ("bash", "sh", "zsh") and
 67    process.name in ("whoami", "ifconfig", "system_profiler", "dscl", "arch", "csrutil") and
 68    process.args_count == 1]
 69  [file where host.os.type == "macos" and event.action == "modification" and
 70    file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Library/WebServer/*",
 71                    "/Library/Graphics/*", "/Library/Fonts/*", "/private/var/root/Library/HTTPStorages/*", "/*/.*") and
 72    not file.path like ("/private/tmp/*.fifo", "/private/tmp/tcl-tk*")]
 73'''
 74
 75[[rule.threat]]
 76framework = "MITRE ATT&CK"
 77
 78  [rule.threat.tactic]
 79  name = "Collection"
 80  id = "TA0009"
 81  reference = "https://attack.mitre.org/tactics/TA0009/"
 82
 83  [[rule.threat.technique]]
 84  name = "Data Staged"
 85  id = "T1074"
 86  reference = "https://attack.mitre.org/techniques/T1074/"
 87
 88    [[rule.threat.technique.subtechnique]]
 89    name = "Local Data Staging"
 90    id = "T1074.001"
 91    reference = "https://attack.mitre.org/techniques/T1074/001/"
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95
 96  [rule.threat.tactic]
 97  name = "Discovery"
 98  id = "TA0007"
 99  reference = "https://attack.mitre.org/tactics/TA0007/"
100
101  [[rule.threat.technique]]
102  name = "System Information Discovery"
103  id = "T1082"
104  reference = "https://attack.mitre.org/techniques/T1082/"