query = ```
sequence by host.id with maxspan=30s
[process where event.type in ("start", "process_started") and process.name :chmod and
process.args : ("/User/Shared/*.app" and "+x") and
not process.args : ("-*", "=*", "*-*")
]
[process where event.type in ("start", "process_started") and process.name :rm and
process.args : ("/Users/*/Downloads/*.App" and "-fr") and
not process.args : ("-d", "-i","-P","-v","-W")
]
Last active
June 9, 2021 06:47
-
-
Save austinsonger/b6a4c3919ce7366bcf19c00467a93995 to your computer and use it in GitHub Desktop.
OSX/Dok Malware to Elastic Detection Rule
query = ```
file where event.type != "deletion" and
file.path : ("/Users/*/Library/LaunchAgents/com.apple.Safari.pac.plist",
"/Users/*/Library/LaunchAgents/com.apple.Safari.proxy.plist",
"/Users/*/Library/LaunchAgents/homebrew.mxcl.tor.plist")
query = ```
sequence by host.id with maxspan=1m
[process where event.type in ("start", "process_started") and
process.name:(brew or tor or socat) and process.parent.executable :
("/usr/local/bin/brew","/usr/local/bin/tor","/usr/local/bin/socat")]
[process where event.type in ("start", "process_started") and
process.name:killall and process.args :
(
"Safari",
"\"Google Chrome\"",
"firefox"
)]
[process where event.type in ("start", "process_started") and process.name == "security" and
process.args :("add-trusted-cert","trustRoot","/Library/Keychains/System.keychain*") and not
process.args : # Reduce False Positives
(
"find-certificate",
"set-keychain-settings",
"delete-certificate",
"show-keychain-info",
"lock-keychain",
"set-key-partition-list",
"import",
"login.keychain-db",
"login.keychain",
"find-identity"
)]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment