sigmaDRL-1.1from SigmaHQ/sigma
Potential XCSSET Malware Infection
Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
Quality
58
FP risk
—
Forks
0
Views
0
Rule sourcerules/macos/process_creation/proc_creation_macos_xcsset_malware_infection.yml
title: Potential XCSSET Malware Infection
id: 47d65ac0-c06f-4ba2-a2e3-d263139d0f51
status: test
description: Identifies the execution traces of the XCSSET malware. XCSSET is a macOS trojan that primarily spreads via Xcode projects and maliciously modifies applications. Infected users are also vulnerable to having their credentials, accounts, and other vital data stolen.
references:
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-f5deb07688e1a8dec9530bc3071967b2da5c16b482e671812b864c37beb28f08
- https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
author: Tim Rauch (rule), Elastic (idea)
date: 2022-10-17
tags:
- attack.command-and-control
logsource:
category: process_creation
product: macos
detection:
selection_1_curl:
ParentImage|endswith: '/bash'
Image|endswith: '/curl'
CommandLine|contains:
- '/sys/log.php'
- '/sys/prepod.php'
- '/sys/bin/Pods'
selection_1_https:
CommandLine|contains: 'https://'
selection_other_1:
ParentImage|endswith: '/bash'
Image|endswith: '/osacompile'
CommandLine|contains|all:
- '/Users/'
- '/Library/Group Containers/'
selection_other_2:
ParentImage|endswith: '/bash'
Image|endswith: '/plutil'
CommandLine|contains|all:
- 'LSUIElement'
- '/Users/'
- '/Library/Group Containers/'
selection_other_3:
Image|endswith: '/zip'
CommandLine|contains|all:
- '-r'
- '/Users/'
- '/Library/Group Containers/'
condition: all of selection_1_* or 1 of selection_other_*
falsepositives:
- Unknown
level: medium