command_and_control_potential_xcsset_malware_infection.toml

[rule]
description = """
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode
projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials,
accounts, and other vital data stolen.
"""
id = "875b71bb-ef09-46b2-9c12-a95112461e85"
license = "Elastic License v2"
name = "Potential XCSSET Malware Infection"
os_list = ["macos"]
reference = ["https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset"]
version = "1.0.2"

query = '''
process where event.action == "exec" and
 (
  (process.name : "curl" and process.parent.name : "bash" and
   process.args : ("https://*/sys/log.php", "https://*/sys/prepod.php", "https://*/sys/bin/Pods")) or

  (process.name : "osacompile" and process.args : "/Users/*/Library/Group Containers/*" and process.parent.name : "bash") or

  (process.name : "plutil" and process.args : "LSUIElement" and process.args : "/Users/*/Library/Group Containers/*" and process.parent.name : "bash") or

  (process.name : "zip" and process.args : "-r" and process.args : "/Users/*/Library/Group Containers/*")
 )
'''

optional_actions = []
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0

[[threat]]
framework = "MITRE ATT&CK"

[threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"

[internal]
min_endpoint_version = "7.15.0"