RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-26 07:42:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #249 from tstromberg/beef-up

Browse Source 
sysutils: Add /usr/bin/security (Keychain)
This commit is contained in:
Thomas Strömberg 2023-05-03 15:54:03 -04:00 committed by GitHub
commit 260e9abb5a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
detection/execution/unexpected-sysutils-macos.sql
View File

@ -1,7 +1,8 @@
-- Unexpected calls to sysctl (event-based)
-- Unexpected calls to macOS system utilities (event-based)
--
-- refs:
-- * https://attack.mitre.org/techniques/T1497/001/ (Virtualization/Sandbox Evasion: System Checks)
-- * https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/
--
-- platform: darwin
-- interval: 900
@ -73,6 +74,7 @@ WHERE
AND pe.status == 0
AND pe.path IN (
'/usr/sbin/sysctl',
'/usr/bin/security',
'/usr/libexec/security_authtrampoline',
'/usr/bin/openssl',
'/usr/bin/uuidgen',