Suspicious File Creation via Pkg Install Script

  1[metadata]
  2creation_date = "2026/01/30"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2026/01/30"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when an installer package executes a pre or post install script that immediately copies a file 
 11to suspicious locations on the filesystem. This activity is not common and usually indicates a malicious 
 12package attempting to install persistence or establish a working directory for malware.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Suspicious File Creation via Pkg Install Script"
 19references = [
 20    "https://objective-see.org/blog/blog_0x51.html"
 21]
 22risk_score = 73
 23rule_id = "1955e925-6679-4535-9c1b-28ebf369f35f"
 24severity = "high"
 25tags = [
 26    "Domain: Endpoint",
 27    "OS: macOS",
 28    "Use Case: Threat Detection",
 29    "Tactic: Persistence",
 30    "Data Source: Elastic Defend",
 31    "Resources: Investigation Guide"
 32]
 33type = "eql"
 34note = """## Triage and analysis
 35
 36> **Disclaimer**:
 37> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 38
 39### Investigating Suspicious File Creation via Pkg Install Script
 40
 41macOS installer packages (.pkg) can include pre-install and post-install scripts that execute with elevated privileges during installation. While legitimate software uses these scripts for proper setup, threat actors abuse this capability to deploy malware, establish persistence, or stage additional payloads under the guise of legitimate software installation. This detection rule identifies when pkg install scripts copy executables or scripts to suspicious locations outside standard installation directories.
 42
 43### Possible investigation steps
 44
 45- Examine the process.args to identify the specific pkg install script path and determine which package triggered the alert.
 46- Review the file.path to understand where files were copied and assess whether the destination is a known malware staging location or persistence directory.
 47- Analyze the file.Ext.header_bytes to confirm the file type (Mach-O binary indicated by cffaedfe or cafebabe, or script files like .py, .sh, .js).
 48- Locate the original installer package if still available and examine its contents, including the preinstall and postinstall scripts using pkgutil --expand.
 49- Check the package's code signature and notarization status using pkgutil --check-signature and spctl --assess to determine if it passed Apple's security review.
 50- Review the download source or delivery mechanism for the installer package to understand how it reached the system.
 51- Search for the same package hash across other systems in the environment to identify potential widespread deployment.
 52
 53### False positive analysis
 54
 55- Legitimate software installers may deploy helper tools or scripts to /usr/local/bin/ or other locations. Verify the package's origin and signing status.
 56- Development tools and frameworks may install additional components to various directories during setup. Confirm with development teams if installations were expected.
 57- Enterprise software deployment may use installer scripts that deploy files to custom locations. Review with IT operations to document expected installation patterns.
 58- Temporary files during complex installations may appear in /tmp/ or /var/folders/ briefly. These typically don't persist after installation completes.
 59
 60### Response and remediation
 61
 62- Terminate any suspicious processes that were spawned by the malicious installer script.
 63- Remove the files that were copied to suspicious locations, including any persistence mechanisms like LaunchAgents or LaunchDaemons.
 64- Quarantine the original installer package for forensic analysis and submission to Apple for notarization revocation if appropriate.
 65- Review system logs for all actions taken during the malicious installation to identify the full scope of changes.
 66- Scan the system for additional malware components or persistence mechanisms that may have been deployed.
 67- Report the malicious package to Apple at reportaproblem.apple.com to request notarization revocation.
 68- Check other systems that may have installed the same package and remediate accordingly.
 69- Review endpoint security policies to prevent future execution of unsigned or revoked installer packages.
 70"""
 71query = '''
 72sequence by process.entity_id with maxspan=30s
 73  [process where host.os.type == "macos" and event.type == "start" and process.name in ("bash", "sh", "zsh") and
 74    process.args like~ ("/tmp/PKInstallSandbox.*/Scripts/com.*/preinstall", 
 75                        "/tmp/PKInstallSandbox.*/Scripts/*/postinstall") and
 76    process.args like ("/Users/*", "/Volumes/*") and 
 77    not process.args like~ "/Users/*/Library/Caches/*"]
 78  [file where host.os.type == "macos" and event.action != "deletion" and process.name in ("mv", "cp") and
 79    (file.extension in ("py", "js", "sh", "scpt", "terminal", "tcl", "app", "pkg", "dmg", "command") or
 80      file.Ext.header_bytes like~ ("cffaedfe*", "cafebabe*")) and
 81    file.path like ("/private/etc/*", "/var/tmp/*", "/tmp/*", "/var/folders/*", "/Users/Shared/*",
 82                    "/Library/Graphics/*", "/Library/Containers/*", "/Users/*/Library/Containers/*", 
 83                    "/Users/*/Library/Services/*", "/Users/*/Library/Preferences/*", "/var/root/*",
 84                    "/Library/WebServer/*", "/Library/Fonts/*", "/usr/local/bin/*") and 
 85    not file.name == "CodeResources"]
 86'''
 87
 88[[rule.threat]]
 89framework = "MITRE ATT&CK"
 90
 91  [rule.threat.tactic]
 92  name = "Persistence"
 93  id = "TA0003"
 94  reference = "https://attack.mitre.org/tactics/TA0003/"
 95
 96  [[rule.threat.technique]]
 97  name = "Event Triggered Execution"
 98  id = "T1546"
 99  reference = "https://attack.mitre.org/techniques/T1546/"
100
101    [[rule.threat.technique.subtechnique]]
102    name = "Installer Packages"
103    id = "T1546.016"
104    reference = "https://attack.mitre.org/techniques/T1546/016/"