Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
Sigma rule (View on GitHub)
1title: Suspicious Installer Package Child Process
2id: e0cfaecd-602d-41af-988d-f6ccebb2af26
3status: test
4description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
5references:
6 - https://redcanary.com/blog/clipping-silver-sparrows-wings/
7 - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_installer_package_spawned_network_event.toml
8author: Sohan G (D4rkCiph3r)
9date: 2023-02-18
10tags:
11 - attack.t1059
12 - attack.t1059.007
13 - attack.t1071
14 - attack.t1071.001
15 - attack.execution
16 - attack.command-and-control
17logsource:
18 category: process_creation
19 product: macos
20detection:
21 selection_installer:
22 ParentImage|endswith:
23 - '/package_script_service'
24 - '/installer'
25 Image|endswith:
26 - '/sh'
27 - '/bash'
28 - '/dash'
29 - '/python'
30 - '/ruby'
31 - '/perl'
32 - '/php'
33 - '/javascript'
34 - '/osascript'
35 - '/tclsh'
36 - '/curl'
37 - '/wget'
38 CommandLine|contains:
39 - 'preinstall'
40 - 'postinstall'
41 condition: selection_installer
42falsepositives:
43 - Legitimate software uses the scripts (preinstall, postinstall)
44level: medium
References
-
Silver Sparrow includes a binary compiled to run on Apple’s new M1 chips but lacks one very important feature: a payload
Read More -
Related rules
- Potential In-Memory Download And Compile Of Payloads
- Ursnif Malware C2 URL Pattern
- APT User Agent
- APT40 Dropbox Tool User Agent
- Abusable DLL Potential Sideloading From Suspicious Location