Potential In-Memory Download And Compile Of Payloads

Aug 22, 2023 · attack.command_and_control attack.execution attack.t1059.007 attack.t1105 ·

Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware

Sigma rule (View on GitHub)

 1title: Potential In-Memory Download And Compile Of Payloads
 2id: 13db8d2e-7723-4c2c-93c1-a4d36994f7ef
 3status: experimental
 4description: Detects potential in-memory downloading and compiling of applets using curl and osacompile as seen used by XCSSET malware
 5references:
 6    - https://redcanary.com/blog/mac-application-bundles/
 7author: Sohan G (D4rkCiph3r), Red Canary (idea)
 8date: 2023/08/22
 9tags:
10    - attack.command_and_control
11    - attack.execution
12    - attack.t1059.007
13    - attack.t1105
14logsource:
15    category: process_creation
16    product: macos
17detection:
18    selection:
19        CommandLine|contains|all:
20            - 'osacompile'
21            - 'curl'
22    condition: selection
23falsepositives:
24    - Unknown
25level: medium

References

How to thwart application bundle manipulation on macOS

Adversaries commonly manipulate application bundles to subvert security controls, elevate privileges, and install malware on macOS devices.

Read More

Potential In-Memory Download And Compile Of Payloads

Sigma rule (View on GitHub)

References

How to thwart application bundle manipulation on macOS

Related rules