
Summary
This rule detects suspicious behavior associated with malicious macOS installer packages. It triggers when a MacOS installer executes an abnormal child process (like bash) followed by an immediate network connection using a suspicious application (like curl). Attackers often use .pkg files to trick victims into installing software that mimics legitimate applications. These packages can include scripts that execute commands to download additional malicious tools or software. The detection focuses on a sequence of processes where a parent 'installer' or 'package_script_service' starts a shell process and is immediately followed by a network-related process. If this rule is triggered, it suggests the installation of potentially malicious software, warranting further investigation and response. Moreover, it acknowledges potential false positives from legitimate software installations that may exhibit similar behaviors, allowing for customizable exclusions to minimize unnecessary alerts.
Categories
- Endpoint
- macOS
Data Sources
- Process
- Network Traffic
- Application Log
ATT&CK Techniques
- T1059
- T1059.007
- T1071
- T1071.001
Created: 2021-02-23