Detects the execution of the nscurl utility in order to download files.

Read More

Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.

Read More

Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility. An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.

Read More

Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.

Read More

Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil". An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.

Read More

Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil". An attacker can use this to prevent backups from occurring.

Read More

Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

Read More

Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.

Read More

Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.

Read More

Detects the use of "sw_vers" for system information discovery

Read More

Detects the execution of "system_profiler" with specific "Data Types" that have been seen being used by threat actors and malware. It provides system hardware and software configuration information. This process is primarily used for system information discovery. However, "system_profiler" can also be used to determine if virtualization software is being run for defense evasion purposes.

Read More

Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.

Read More

Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.

Read More

Detects enumeration of local network configuration

Read More

Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

Read More

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Read More

Detects possible collection of data from the clipboard via execution of the osascript binary

Read More

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Read More

Detects passwords dumps from Keychain

Read More

Detecting attempts to extract passwords with grep and laZagne

Read More

Detects usage of base64 utility to decode arbitrary base64-encoded text

Read More

Detects disabling security tools

Read More

Detects the execution of the hdiutil utility in order to create a disk image.

Read More

Detects the execution of the hdiutil utility in order to mount disk images.

Read More

Detects usage of system utilities to discover files and directories

Read More

Detect file time attribute change to hide new or changes to existing files

Read More

Detects macOS Gatekeeper bypass via xattr utility

Read More

Detects attempts to enable the guest account using the sysadminctl utility

Read More

Detects attempts to use system dialog prompts to capture user credentials

Read More

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

Read More

Detects deletion of local audit logs

Read More

Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.

Read More

Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.

Read More

Detects possible malicious execution of JXA in-memory via OSAScript

Read More

Detects enumeration of local system groups

Read More

Detects enumeration of local systeam accounts on MacOS

Read More

Detects enumeration of local or remote network services.

Read More

Detects the enumeration of other remote systems.

Read More

Detects execution of AppleScript of the macOS scripting language AppleScript.

Read More

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Read More

Detects potential suspicious applet or osascript executing "osacompile".

Read More

Detects potential suspicious run-only executions compiled using OSACompile

Read More

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Read More

Detects usage of "find" binary in a suspicious manner to perform discovery

Read More

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Read More

Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility

Read More

Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.

Read More

Detects attempts to enable the root account via "dsenableroot"

Read More

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Read More

Detects attempts to use screencapture to collect macOS screenshots

Read More

Detects usage of system utilities (only grep for now) to discover security software discovery

Read More

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

Read More

Detection use of the command "split" to split files into parts and possible transfer.

Read More

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Read More

Detects when the macOS Script Editor utility spawns an unusual child process.

Read More

Detects commandline operations on shell history files

Read More

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Read More

Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.

Read More

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Read More

Detects usage of system utilities to discover system network connections

Read More

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Read More

Detects attempts to create and add an account to the admin group via "dscl"

Read More

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

Read More

Detects attempts to create and add an account to the admin group via "sysadminctl"

Read More