Detections
12 Sigma detection rules covering multiple platforms
macOS
(12)Suspicious Network Connection from Shell Launch
Detects network connections initiated immediately after shell launch. When a terminal opens, the shell RC file (.zshrc) is executed. Attackers may abuse this to beacon to command and control servers, exfiltrate data and credentials (keychain files for example), or download additional payloads. This detection identifies suspicious network tools, launched directly from the shell.
Potential Credential Exfiltration via Shell Configuration
Detects processes spawned from shell initialisation that access sensitive credential files. Attackers use .zshrc to automatically search for and exfiltrate SSH keys, AWS credentials, API tokens, keychain databases, and other sensitive authentication materials when a terminal is opened. This detection identifies suspicious file access patterns combined with credential-related commands.
Suspicious Process Modifying .zshrc Configuration
Detects modification of the .zshrc shell configuration file by abnormal processes. Attackers commonly modify .zshrc to establish persistence, execute malicious code on terminal launch, or exfiltrate sensitive data. This detection focuses on modifications made by non-standard editors or processes executing from temporary directories.
Root Service Execution from Suspicious Path
Detects the system launchd process (PID 1) executing a child process from a suspicious, non-standard directory This indicates a LaunchDaemon has been compromised to run a malicious payload
Suspicious Process Modifying LaunchDaemons
Detects non-standard processes creating or modifying files in the /Library/LaunchDaemons/ directory. This is a primary indicator of privilege escalation attempts via service hijacking.
Payload Decoded and Decrypted via Built-in Utilities
Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
Keychain Database Staging For Exfiltration - MacOS
Detects potential staging of macOS Keychain database files for exfiltration to temporary or shared directories. Adversaries often copy keychain files (login.keychain-db, login.keychain, System.keychain) to staging locations before exfiltration. This technique has been observed in campaigns such as Odyssey stealer, BeaverTail, Cuckoo Stealer, and Calisto malware.
Suspicious Keychain Access Via Security Utility - MacOS
Detects suspicious use of the "security" command-line utility to dump, export, or access keychain credentials. Adversaries use commands like "security dump-keychain -d" to extract plaintext passwords from the macOS Keychain. This technique is used by Empire framework, Odyssey stealer, and other credential theft tools.
Clipboard Data Collection Via OSAScript
Detects possible collection of data from the clipboard via execution of the "osascript" binary on macOS. Attackers can use AppleScript to access clipboard contents for data exfiltration or reconnaissance purposes. The "clipboard info" and "the clipboard" commands return clipboard contents in AppleScript.
Hidden Flag Set On File/Directory Via Chflags
Detects the execution of the "chflags" utility with the "hidden" flag to hide files or directories on macOS. When a file or directory has the hidden flag set, it becomes invisible to default file listing commands and graphical file browsers. This technique has been observed in APT32 (OceanLotus) campaigns and other malware like WireLurker.
Hidden Flag Set On Sensitive Files Via Chflags
Detects the execution of the "chflags" utility with the "hidden" flag targeting sensitive files or directories on macOS. This focuses on high-risk scenarios where attackers hide scripts, sensitive user data, or credential-related files. When combined with suspicious file types or locations, this behavior is highly indicative of malicious activity.
Suspicious Clipboard Data Exfiltration Via OSAScript
Detects suspicious clipboard data collection combined with network activity or file operations via osascript. This pattern indicates potential data exfiltration where clipboard contents are being sent externally or saved to disk.