ID | Technique | Tactic |
---|---|---|
T1059.004 | Unix Shell | Execution |
T1059 | Command and Scripting Interpreter | Execution |
Detection: MacOS LOLbin
Description
The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.
Search
1`osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*")
2| rename columns.* as *
3| stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host
4| rename username as user, cmdline as process, path as process_path, host as dest
5| where dc_path > 3
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)`
8| `macos_lolbin_filter`
Data Source
No data sources specified for this detection.
Macros Used
Name | Value |
---|---|
osquery_macro | sourcetype=osquery:results |
macos_lolbin_filter | search * |
macos_lolbin_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.
Known False Positives
None identified.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
Multiplle LOLbin are executed on host $dest$ by user $user$ | 25 | 50 | 50 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | osquery |
osquery:results |
Integration | ✅ Passing | Dataset | osquery |
osquery:results |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4