heroui logo

MacOS - Re-opened Applications

Splunk Security Content

View Source
Summary
This detection rule identifies potentially malicious persistence mechanisms in macOS by monitoring processes that interact with the "com.apple.loginwindow" component upon reboot. By analyzing references to property list (plist) files, this analytic leverages endpoint detection and response (EDR) data, which is crucial for detecting attempts by attackers to maintain access after system reboots. The detection focuses on Sysmon EventID 1, specifically looking for specific patterns in process names and their parent processes that could signal nefarious activity. This type of behavior is significant as an evident tactic by attackers to keep their foothold on compromised machines. The implementation requires the appropriate logging from EDR solutions and mapping them to standard data models in Splunk, ensuring comprehensive monitoring of potentially malicious activities on macOS systems.
Categories
  • macOS
  • Endpoint
Data Sources
  • Pod
  • Process
Created: 2024-11-13