heroui logo

Suspicious Installer Package Child Process

Sigma Rules

View Source
Summary
This detection rule identifies potentially malicious child processes that spawn from macOS installer packages, specifically monitoring for well-known executables and scripting languages that could indicate suspicious behavior. The rule examines the parent processes ending with '/package_script_service' or '/installer' and checks for child processes that use interpreters like 'osascript', 'curl', 'wget', and others associated with common scripting languages. The command line options 'preinstall' and 'postinstall' are also monitored, as these can be indicative of malicious actions if used inappropriately. By analyzing the relationship between installer packages and their child processes, this rule aims to uncover instances where attackers may misuse legitimate installation procedures to execute harmful scripts or commands. False positives can arise from legitimate software utilizing similar mechanisms for installation requirements.
Categories
  • macOS
  • Endpoint
Data Sources
  • Process
Created: 2023-02-18