Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Detects potential suspicious applet or osascript executing "osacompile".

Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.

Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Detects attempts to enable the guest account using the sysadminctl utility

Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.

Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution

Detects execution of AppleScript of the macOS scripting language AppleScript.

Detects potential suspicious run-only executions compiled using OSACompile

Detects passwords dumps from Keychain

Detects usage of "find" binary in a suspicious manner to perform discovery

Detects possible collection of data from the clipboard via execution of the osascript binary

Detects possible malicious execution of JXA in-memory via OSAScript

Detect file time attribute change to hide new or changes to existing files

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

Detects enumeration of local network configuration

Detects when the macOS Script Editor utility spawns an unusual child process.

Detects usage of system utilities to discover system network connections

Detects attempts to use system dialog prompts to capture user credentials

Detects enumeration of local system groups

Detects enumeration of local systeam accounts on MacOS

Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.

Detects usage of system utilities (only grep for now) to discover security software discovery

Detects usage of base64 utility to decode arbitrary base64-encoded text

Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.

Detects usage of system utilities to discover files and directories

Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.

Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.

Detecting attempts to extract passwords with grep and laZagne

Detects disabling security tools

Detects macOS Gatekeeper bypass via xattr utility

Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option

Detects deletion of local audit logs

Detects enumeration of local or remote network services.

Detects the enumeration of other remote systems.

Detects attempts to use screencapture to collect macOS screenshots

Detection use of the command "split" to split files into parts and possible transfer.

Detects commandline operations on shell history files

Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.