Data Source: osquery

Date: 2025-01-23

ID: 7ec4d7c8-c1d0-423a-9169-261f6adb74c0

Author: Patrick Bareiss, Splunk

Description

Logs system queries performed using osquery, including details about processes, file access, network activity, and system configurations.

Details

Property	Value
Source	`osquery`
Sourcetype	`osquery:results`

Name ▲▼	Technique ▲▼	Type ▲▼
MacOS AMOS Stealer - Virtual Machine Check Activity	AppleScript	Anomaly
MacOS LOLbin	Unix Shell	TTP
MacOS plutil	Plist File Modification	TTP
Processes Tapping Keyboard Events	None	TTP
Suspicious PlistBuddy Usage via OSquery	Launch Agent	TTP

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">calendarTime</span>
  
  <span class="pill kill-chain">columns.cdhash</span>
  
  <span class="pill kill-chain">columns.child_pid</span>
  
  <span class="pill kill-chain">columns.cmdline</span>
  
  <span class="pill kill-chain">columns.cmdline_count</span>
  
  <span class="pill kill-chain">columns.cwd</span>
  
  <span class="pill kill-chain">columns.egid</span>
  
  <span class="pill kill-chain">columns.env</span>
  
  <span class="pill kill-chain">columns.env_count</span>
  
  <span class="pill kill-chain">columns.euid</span>
  
  <span class="pill kill-chain">columns.event_type</span>
  
  <span class="pill kill-chain">columns.exit_code</span>
  
  <span class="pill kill-chain">columns.gid</span>
  
  <span class="pill kill-chain">columns.global_seq_num</span>
  
  <span class="pill kill-chain">columns.original_parent</span>
  
  <span class="pill kill-chain">columns.parent</span>
  
  <span class="pill kill-chain">columns.path</span>
  
  <span class="pill kill-chain">columns.pid</span>
  
  <span class="pill kill-chain">columns.platform_binary</span>
  
  <span class="pill kill-chain">columns.seq_num</span>
  
  <span class="pill kill-chain">columns.signing_id</span>
  
  <span class="pill kill-chain">columns.team_id</span>
  
  <span class="pill kill-chain">columns.time</span>
  
  <span class="pill kill-chain">columns.uid</span>
  
  <span class="pill kill-chain">columns.username</span>
  
  <span class="pill kill-chain">columns.version</span>
  
  <span class="pill kill-chain">counter</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">epoch</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">hostIdentifier</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">name</span>
  
  <span class="pill kill-chain">numerics</span>
  
  <span class="pill kill-chain">parent_process_id</span>
  
  <span class="pill kill-chain">process_current_directory</span>
  
  <span class="pill kill-chain">process_id</span>
  
  <span class="pill kill-chain">process_path</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">subject</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">unixTime</span>
  
  <span class="pill kill-chain">user_id</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
</div>

Example Log

1{"name":"es_process_events","hostIdentifier":"HackBook.local","calendarTime":"Tue Mar 29 13:03:51 2022 UTC","unixTime":1648559031,"epoch":0,"counter":82,"numerics":false,"columns":{"cdhash":"f63c5fbfcf1484b20aa4407a26e087fe3fe28146","child_pid":"","cmdline":"plutil --help ","cmdline_count":"2","cwd":"/Users/patrick","egid":"20","env":"TERM_SESSION_ID=w0t1p0:93AA9D79-7028-49F1-A93D-4EAEFB7BA6E3 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.OOwoeuT9LF/Listeners LC_TERMINAL_VERSION=3.3.7 COLORFGBG=15;0 ITERM_PROFILE=Default XPC_FLAGS=0x0 LANG=de_DE.UTF-8 PWD=/Users/patrick SHELL=/bin/zsh __CFBundleIdentifier=com.googlecode.iterm2 TERM_PROGRAM_VERSION=3.3.7 TERM_PROGRAM=iTerm.app PATH=/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/Applications/VMware Fusion.app/Contents/Public:/Library/Apple/usr/bin LC_TERMINAL=iTerm2 COLORTERM=truecolor COMMAND_MODE=unix2003 TERM=xterm-256color HOME=/Users/patrick TMPDIR=/var/folders/tc/m9brp20d1mvfgssff70501m40000gn/T/ USER=patrick XPC_SERVICE_NAME=0 LOGNAME=patrick ITERM_SESSION_ID=w0t1p0:93AA9D79-7028-49F1-A93D-4EAEFB7BA6E3 __CF_USER_TEXT_ENCODING=0x0:0:3 SHLVL=1 OLDPWD=/Users/patrick HISTTIMEFORMAT=%F %T  ZSH=/Users/patrick/.oh-my-zsh PAGER=less LESS=-R LSCOLORS=Gxfxcxdxbxegedabagacad _=/usr/bin/plutil ","env_count":"32","euid":"20","event_type":"exec","exit_code":"","gid":"20","global_seq_num":"440","original_parent":"2971","parent":"2971","path":"/usr/bin/plutil","pid":"6449","platform_binary":"1","seq_num":"154","signing_id":"com.apple.Foundation.plutil","team_id":"","time":"1648558927","uid":"501","username":"patrick","version":"4"},"action":"added"}

Source: GitHub | Version: 2

Data Source: osquery

Description

Details

Related Detections

Event Fields

Example Log