Potential In-Memory Download And Compile Of Payloads

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Sigma rule (View on GitHub)

 1title: Potential In-Memory Download And Compile Of Payloads
 2id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
 3status: test
 4description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
 5references:
 6    - https://redcanary.com/blog/mac-application-bundles/
 7author: Sohan G (D4rkCiph3r), Red Canary (idea)
 8date: 2023-08-22
 9tags:
10    - attack.command-and-control
11    - attack.execution
12    - attack.t1059.007
13    - attack.t1105
14logsource:
15    category: process_creation
16    product: macos
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'osacompile'
21            - 'curl'
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

Related rules

to-top