-
Notifications
You must be signed in to change notification settings - Fork 101
/
command_and_control_potential_xcsset_malware_infection.toml
43 lines (35 loc) · 1.4 KB
/
command_and_control_potential_xcsset_malware_infection.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[rule]
description = """
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode
projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials,
accounts, and other vital data stolen.
"""
id = "875b71bb-ef09-46b2-9c12-a95112461e85"
license = "Elastic License v2"
name = "Potential XCSSET Malware Infection"
os_list = ["macos"]
reference = ["https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset"]
version = "1.0.2"
query = '''
process where event.action == "exec" and
(
(process.name : "curl" and process.parent.name : "bash" and
process.args : ("https://*/sys/log.php", "https://*/sys/prepod.php", "https://*/sys/bin/Pods")) or
(process.name : "osacompile" and process.args : "/Users/*/Library/Group Containers/*" and process.parent.name : "bash") or
(process.name : "plutil" and process.args : "LSUIElement" and process.args : "/Users/*/Library/Group Containers/*" and process.parent.name : "bash") or
(process.name : "zip" and process.args : "-r" and process.args : "/Users/*/Library/Group Containers/*")
)
'''
optional_actions = []
[[actions]]
action = "kill_process"
field = "process.entity_id"
state = 0
[[threat]]
framework = "MITRE ATT&CK"
[threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
[internal]
min_endpoint_version = "7.15.0"