Add TTP details from https://www.sentinelone.com/blog/backdoor-activator-malware-running-rife-through-torrents-of-macos-apps/

2025-01-20 12:30:44 +00:00 · 2024-02-01 13:04:07 -05:00 · 2024-02-01 13:04:07 -05:00 · 25c579aa1d
commit 25c579aa1d
parent 23a0e572df
2 changed files with 2 additions and 0 deletions
--- a/detection/execution/exotic-command-events-macos.sql
+++ b/detection/execution/exotic-command-events-macos.sql
@ -109,6 +109,7 @@ WHERE
    OR p0_cmd LIKE '%touch%acmr%'
    OR p0_cmd LIKE '%touch -r%'
    OR p0_cmd LIKE '%ld.so.preload%'
+    OR p0_cmd LIKE 'killall%NotificationCenter'
    OR p0_cmd LIKE '%urllib.urlopen%'
    OR p0_cmd LIKE '%nohup%tmp%'
    OR p0_cmd LIKE '%killall Terminal%'
--- a/detection/execution/unexpected-sysutils-macos.sql
+++ b/detection/execution/unexpected-sysutils-macos.sql
@ -86,6 +86,7 @@ WHERE
    '/usr/bin/openssl',
    '/usr/bin/security',
    '/usr/bin/sqlite3',
+    '/usr/sbin/spctl',
    '/usr/bin/sw_vers',
    '/usr/bin/unzip',
    '/usr/bin/uuidgen',