Techniques
Sample rules
Suspicious Browser Child Process - MacOS
- source: sigma
- technicques:
- t1059
- t1189
- t1203
Description
Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
Detection logic
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
filter_main_chrome:
CommandLine|contains:
- /Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh
- /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_preflight.sh
- /Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/*/Resources/keystone_promote_postflight.sh
ParentImage|contains:
- Google Chrome Helper
- Google Chrome
filter_main_chromerecovery:
CommandLine|contains|all:
- /Users/
- /Library/Application Support/Google/Chrome/recovery/
- /ChromeRecovery
ParentImage|contains:
- Google Chrome Helper
- Google Chrome
filter_main_generic:
CommandLine|contains: --defaults-torrc
filter_main_ms_autoupdate:
CommandLine|contains: /Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate
filter_main_ms_edge:
CommandLine|contains:
- IOPlatformExpertDevice
- hw.model
ParentImage|contains: Microsoft Edge
filter_optional_empty:
CommandLine: ''
filter_optional_null:
CommandLine: null
selection:
Image|endswith:
- /bash
- /curl
- /dash
- /ksh
- /osascript
- /perl
- /php
- /pwsh
- /python
- /sh
- /tcsh
- /wget
- /zsh
ParentImage|contains:
- com.apple.WebKit.WebContent
- firefox
- Google Chrome Helper
- Google Chrome
- Microsoft Edge
- Opera
- Safari
- Tor Browser