Suspicious Installer Package Spawns Network Event

  1[metadata]
  2creation_date = "2021/02/23"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/04/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a
 11network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS
 12installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect
 13their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or
 14malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.
 15"""
 16false_positives = [
 17    """
 18    Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known
 19    behavior is causing false positives, it can be excluded from the rule.
 20    """,
 21]
 22from = "now-9m"
 23index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "Suspicious Installer Package Spawns Network Event"
 27references = [
 28    "https://redcanary.com/blog/clipping-silver-sparrows-wings",
 29    "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520",
 30    "https://github.com/D00MFist/Mystikal",
 31]
 32risk_score = 47
 33rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c"
 34setup = """## Setup
 35
 36This rule requires data coming in from Elastic Defend.
 37
 38### Elastic Defend Integration Setup
 39Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 40
 41#### Prerequisite Requirements:
 42- Fleet is required for Elastic Defend.
 43- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 44
 45#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 46- Go to the Kibana home page and click "Add integrations".
 47- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 48- Click "Add Elastic Defend".
 49- Configure the integration name and optionally add a description.
 50- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 51- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 52- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 53- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 54For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 55- Click "Save and Continue".
 56- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 57For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 58"""
 59severity = "medium"
 60tags = [
 61    "Domain: Endpoint",
 62    "OS: macOS",
 63    "Use Case: Threat Detection",
 64    "Tactic: Execution",
 65    "Tactic: Command and Control",
 66    "Data Source: Elastic Defend",
 67    "Resources: Investigation Guide",
 68]
 69type = "eql"
 70
 71query = '''
 72sequence by host.id, process.entity_id with maxspan=15s
 73[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.parent.name like~ ("installer", "package_script_service") and ((process.name in ("bash", "sh", "zsh") and process.args == "-c") or (process.name like~ ("python*", "osascript", "tclsh*", "curl", "nscurl")))]
 74[network where host.os.type == "macos" and event.type == "start"]
 75'''
 76note = """## Triage and analysis
 77
 78> **Disclaimer**:
 79> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 80
 81### Investigating Suspicious Installer Package Spawns Network Event
 82
 83MacOS installer packages, often with a .pkg extension, are used to distribute software. Adversaries exploit this by embedding scripts to execute additional commands or download malicious payloads. The detection rule identifies suspicious behavior by monitoring for installer packages spawning shell processes followed by network activity, indicating potential malicious activity.
 84
 85### Possible investigation steps
 86
 87- Review the process details to identify the parent process name and entity ID, focusing on processes like "installer" or "package_script_service" that initiated the suspicious activity.
 88- Examine the child process that was spawned, such as "bash", "sh", or "python", to determine the commands executed and assess if they align with typical installation behavior or appear malicious.
 89- Investigate the network activity associated with the suspicious process, particularly looking at processes like "curl" or "wget", to identify any external connections made and the destination IP addresses or domains.
 90- Check the timestamp and sequence of events to confirm if the network activity closely followed the process execution, indicating a potential download or data exfiltration attempt.
 91- Analyze any downloaded files or payloads for malicious content using threat intelligence tools or sandbox environments to determine their intent and potential impact.
 92- Correlate the findings with known threat actor tactics or campaigns, leveraging threat intelligence sources to assess if the activity matches any known patterns or indicators of compromise.
 93
 94### False positive analysis
 95
 96- Legitimate software installations may trigger this rule if they use scripts to configure network settings or download updates. Users can create exceptions for known safe software by whitelisting specific installer package names or hashes.
 97- System administrators often use scripts to automate software deployment and updates, which might involve network activity. To reduce false positives, exclude processes initiated by trusted administrative tools or scripts.
 98- Development environments on macOS might execute scripts that connect to the internet for dependencies or updates. Users can mitigate this by excluding processes associated with known development tools or environments.
 99- Some security tools or monitoring software may use scripts to perform network checks or updates. Identify and exclude these processes if they are verified as non-threatening.
100- Frequent updates from trusted software vendors might trigger this rule. Users should maintain an updated list of trusted vendors and exclude their processes from triggering alerts.
101
102### Response and remediation
103
104- Isolate the affected MacOS system from the network immediately to prevent further malicious activity or data exfiltration.
105- Terminate any suspicious processes identified in the alert, such as those initiated by the installer package, to halt ongoing malicious actions.
106- Conduct a thorough review of the installed applications and remove any unauthorized or suspicious software, especially those with a .pkg extension.
107- Restore the system from a known good backup if available, ensuring that the backup predates the installation of the malicious package.
108- Update and patch the MacOS system and all installed applications to the latest versions to mitigate vulnerabilities that could be exploited by similar threats.
109- Monitor network traffic for any signs of command and control communication or data exfiltration attempts, using the indicators identified in the alert.
110- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""
111
112
113[[rule.threat]]
114framework = "MITRE ATT&CK"
115[[rule.threat.technique]]
116id = "T1059"
117name = "Command and Scripting Interpreter"
118reference = "https://attack.mitre.org/techniques/T1059/"
119[[rule.threat.technique.subtechnique]]
120id = "T1059.007"
121name = "JavaScript"
122reference = "https://attack.mitre.org/techniques/T1059/007/"
123
124
125
126[rule.threat.tactic]
127id = "TA0002"
128name = "Execution"
129reference = "https://attack.mitre.org/tactics/TA0002/"
130[[rule.threat]]
131framework = "MITRE ATT&CK"
132[[rule.threat.technique]]
133id = "T1071"
134name = "Application Layer Protocol"
135reference = "https://attack.mitre.org/techniques/T1071/"
136[[rule.threat.technique.subtechnique]]
137id = "T1071.001"
138name = "Web Protocols"
139reference = "https://attack.mitre.org/techniques/T1071/001/"
140
141
142
143[rule.threat.tactic]
144id = "TA0011"
145name = "Command and Control"
146reference = "https://attack.mitre.org/tactics/TA0011/"