RepoMirrors/osquery-defense-kit
1
0
Fork 0
mirror of https://github.com/chainguard-dev/osquery-defense-kit synced 2024-12-26 15:52:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

sysutils: Add /usr/bin/security (Keychain)

Browse Source
This commit is contained in:
Thomas Stromberg 2023-05-03 15:53:33 -04:00
parent 76cf1006c6
commit cc221ae011
Failed to extract signature
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
detection/execution/unexpected-sysutils-macos.sql
View File

@ -1,7 +1,8 @@
-- Unexpected calls to sysctl (event-based)
-- Unexpected calls to macOS system utilities (event-based)
--
-- refs:
-- * https://attack.mitre.org/techniques/T1497/001/ (Virtualization/Sandbox Evasion: System Checks)
-- * https://www.sentinelone.com/blog/atomic-stealer-threat-actor-spawns-second-variant-of-macos-malware-sold-on-telegram/
--
-- platform: darwin
-- interval: 900
@ -73,6 +74,7 @@ WHERE
AND pe.status == 0
AND pe.path IN (
'/usr/sbin/sysctl',
'/usr/bin/security',
'/usr/libexec/security_authtrampoline',
'/usr/bin/openssl',
'/usr/bin/uuidgen',