Potential In-Memory Download And Compile Of Payloads
Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
Sigma rule (View on GitHub)
1title: Potential In-Memory Download And Compile Of Payloads
2id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
3status: test
4description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
5references:
6 - https://redcanary.com/blog/mac-application-bundles/
7author: Sohan G (D4rkCiph3r), Red Canary (idea)
8date: 2023-08-22
9tags:
10 - attack.command-and-control
11 - attack.execution
12 - attack.t1059.007
13 - attack.t1105
14logsource:
15 category: process_creation
16 product: macos
17detection:
18 selection:
19 CommandLine|contains|all:
20 - 'osacompile'
21 - 'curl'
22 condition: selection
23falsepositives:
24 - Unknown
25level: medium
References
-
Adversaries commonly manipulate application bundles to subvert security controls, elevate privileges, and install malware on macOS devices.
Read More
Related rules
- Command Line Execution with Suspicious URL and AppData Strings
- Greenbug Espionage Group Indicators
- Suspicious Installer Package Child Process
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact