LoFP / custom organization-specific macos packages that use .pkg files to run curl could trigger this rule. if known behavior is causing false positives, it can be excluded from the rule.

Techniques

• T1059
• T1071

Sample rules

MacOS Installer Package Spawns Network Event

• source: elastic
• technicques:
  • T1059
  • T1071

Description

Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.

Detection logic

sequence by host.id, user.id with maxspan=30s
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")]
[network where host.os.type == "macos" and event.type == "start" and process.name : ("curl", "osascript", "wget", "python")]