Suspicious Browser Child Process - MacOS

calendar Aug 12, 2024 · attack.initial-access attack.execution attack.t1189 attack.t1203 attack.t1059  ·
Share on: linkedin copy

Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.

Sigma rule (View on GitHub)

 1title: Suspicious Browser Child Process - MacOS
 2id: 0250638a-2b28-4541-86fc-ea4c558fa0c6
 3status: test
 4description: Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
 5references:
 6    - https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang
 7    - https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml
 8author: Sohan G (D4rkCiph3r)
 9date: 2023-04-05
10tags:
11    - attack.initial-access
12    - attack.execution
13    - attack.t1189
14    - attack.t1203
15    - attack.t1059
16logsource:
17    category: process_creation
18    product: macos
19detection:
20    selection:
21        ParentImage|contains:
22            - 'com.apple.WebKit.WebContent'
23            - 'firefox'
24            - 'Google Chrome Helper'
25            - 'Google Chrome'
26            - 'Microsoft Edge'
27            - 'Opera'
28            - 'Safari'
29            - 'Tor Browser'
30        Image|endswith:
31            - '/bash'
32            - '/curl'
33            - '/dash'
34            - '/ksh'
35            - '/osascript'
36            - '/perl'
37            - '/php'
38            - '/pwsh'
39            - '/python'
40            - '/sh'
41            - '/tcsh'
42            - '/wget'
43            - '/zsh'
44    filter_main_generic:
45        CommandLine|contains: '--defaults-torrc' # Informs tor to use default config file
46    filter_main_ms_autoupdate:
47        CommandLine|contains: '/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate' # Microsoft AutoUpdate utility
48    filter_main_chrome:
49        ParentImage|contains:
50            - 'Google Chrome Helper'
51            - 'Google Chrome'
52        CommandLine|contains:
53            - '/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh' # Install the Google Chrome browser
54            - '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_preflight.sh' # Updates the Google Chrome branding configuration files
55            - '/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_postflight.sh' # Script that performs the post-installation tasks
56    filter_main_ms_edge:
57        ParentImage|contains: 'Microsoft Edge'
58        CommandLine|contains:
59            - 'IOPlatformExpertDevice' # Retrieves the IOPlatformUUID (parent process - Microsoft Edge)
60            - 'hw.model' # Retrieves model name of the computer's hardware (parent process - Microsoft Edge)
61    filter_main_chromerecovery:
62        ParentImage|contains:
63            - 'Google Chrome Helper'
64            - 'Google Chrome'
65        CommandLine|contains|all:
66            - '/Users/'
67            - '/Library/Application Support/Google/Chrome/recovery/'
68            - '/ChromeRecovery'
69    filter_optional_null:
70        # Aoids alerting for the events which do not have command-line arguments
71        CommandLine: null
72    filter_optional_empty:
73        # Aoids alerting for the events which do not have command-line arguments
74        CommandLine: ''
75    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
76falsepositives:
77    - Legitimate browser install, update and recovery scripts
78level: medium

References

Related rules

to-top