legitimate software uses the scripts (preinstall, postinstall)

t1059
t1059.007
t1071
t1071.001
macos
sigma

Techniques

t1059
t1059.007
t1071
t1071.001

Sample rules

Suspicious Installer Package Child Process

source: sigma
technicques:
- t1059
- t1059.007
- t1071
- t1071.001

Description

Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters

Detection logic

condition: selection_installer
selection_installer:
  CommandLine|contains:
  - preinstall
  - postinstall
  Image|endswith:
  - /sh
  - /bash
  - /dash
  - /python
  - /ruby
  - /perl
  - /php
  - /javascript
  - /osascript
  - /tclsh
  - /curl
  - /wget
  ParentImage|endswith:
  - /package_script_service
  - /installer