feat: add macOS LOOBins detection query (16 high-confidence patterns across 13 binaries)

LasCC · LasCC · commit bf42012c398d · 2026-04-02T13:42:40.000-04:00
diff --git a/s1_powerquery_hunting.json b/s1_powerquery_hunting.json
@@ -463,5 +463,10 @@
         "category": "Command & Control",
         "name": "Ligolo-ng Tunneling and Ligolo-IWA Browser Pivot",
         "query": "tgt.file.path endswith \".swbn\" OR (src.process.name contains:anycase (\"chrome\",\"msedge\") AND dst.port.number = 11601) OR #cmdline contains:anycase \"enable-isolated-web-app-dev-mode\" OR event.dns.request contains:anycase \"ligolo.ng\" OR (#cmdline contains:anycase \"ligolo\" AND #cmdline contains:anycase (\"-connect\",\"-selfcert\",\"-ignore-cert\",\"agent\",\"proxy\")) OR src.process.name contains:anycase (\"ligolo-agent\",\"ligolo-ng\",\"ligolo-proxy\") OR tgt.process.name contains:anycase (\"ligolo-agent\",\"ligolo-ng\",\"ligolo-proxy\")\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.type, event.dns.request, dst.ip.address, dst.port.number, tgt.file.path\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, event.type, event.dns.request, dst.ip.address, dst.port.number, tgt.file.path, Count\n| sort -Count\n| limit 100000"
+    },
+    {
+        "category": "macOS",
+        "name": "macOS LOOBins - Living Off the Orchard (High Confidence)",
+        "query": "endpoint.os = \"macos\" AND ((src.process.name = \"security\" AND src.process.cmdline contains:anycase \"dump-keychain\") OR (src.process.name = \"security\" AND src.process.cmdline contains:anycase \"find-generic-password\" AND src.process.cmdline contains:anycase \"Chrome Safe Storage\") OR (src.process.name = \"osascript\" AND src.process.cmdline contains:anycase \"display dialog\" AND src.process.cmdline contains:anycase (\"password\",\"keychain\",\"credential\",\"login\",\"authentif\")) OR (src.process.name = \"sqlite3\" AND src.process.cmdline contains:anycase (\"cookies.sqlite\",\"moz_cookies\",\"Login Data\")) OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"eyJ\") OR (#cmdline contains \"com.apple.quarantine\" AND #cmdline contains \"-d\") OR (src.process.name = \"spctl\" AND src.process.cmdline contains:anycase \"--master-disable\") OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"erase\" AND src.process.cmdline contains:anycase \"--all\") OR (src.process.name = \"csrutil\" AND src.process.cmdline contains:anycase \"disable\") OR (src.process.name = \"sfltool\" AND src.process.cmdline contains:anycase \"resetbtm\") OR (src.process.name = \"ssh-keygen\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.name = \"tclsh\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.cmdline contains:anycase \"LoginHook\") OR (src.process.name = \"sysadminctl\" AND src.process.cmdline contains:anycase (\"-addUser\",\"-resetPasswordFor\",\"-smbGuestAccess\",\"-afpGuestAccess\")) OR (src.process.name = \"networksetup\" AND src.process.cmdline contains:anycase (\"-setwebproxy\",\"-setsecurewebproxy\",\"-setautoproxyurl\")) OR (src.process.name = \"systemsetup\" AND src.process.cmdline contains:anycase (\"-setremotelogin\",\"-setremoteappleevents\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n| columns  \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, Count\n| sort -Count\n| limit 100000"
     }
 ]

Original file line number	Diff line number	Diff line change
`@@ -463,5 +463,10 @@`
`463`	`463`	`"category": "Command & Control",`
`464`	`464`	`"name": "Ligolo-ng Tunneling and Ligolo-IWA Browser Pivot",`
`465`	`465`	"query": "tgt.file.path endswith \".swbn\" OR (src.process.name contains:anycase (\"chrome\",\"msedge\") AND dst.port.number = 11601) OR #cmdline contains:anycase \"enable-isolated-web-app-dev-mode\" OR event.dns.request contains:anycase \"ligolo.ng\" OR (#cmdline contains:anycase \"ligolo\" AND #cmdline contains:anycase (\"-connect\",\"-selfcert\",\"-ignore-cert\",\"agent\",\"proxy\")) OR src.process.name contains:anycase (\"ligolo-agent\",\"ligolo-ng\",\"ligolo-proxy\") OR tgt.process.name contains:anycase (\"ligolo-agent\",\"ligolo-ng\",\"ligolo-proxy\")\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, event.type, event.dns.request, dst.ip.address, dst.port.number, tgt.file.path\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, event.type, event.dns.request, dst.ip.address, dst.port.number, tgt.file.path, Count\n\| sort -Count\n\| limit 100000"
	`466`	`+ },`
	`467`	`+ {`
	`468`	`+ "category": "macOS",`
	`469`	`+ "name": "macOS LOOBins - Living Off the Orchard (High Confidence)",`
	`470`	+ "query": "endpoint.os = \"macos\" AND ((src.process.name = \"security\" AND src.process.cmdline contains:anycase \"dump-keychain\") OR (src.process.name = \"security\" AND src.process.cmdline contains:anycase \"find-generic-password\" AND src.process.cmdline contains:anycase \"Chrome Safe Storage\") OR (src.process.name = \"osascript\" AND src.process.cmdline contains:anycase \"display dialog\" AND src.process.cmdline contains:anycase (\"password\",\"keychain\",\"credential\",\"login\",\"authentif\")) OR (src.process.name = \"sqlite3\" AND src.process.cmdline contains:anycase (\"cookies.sqlite\",\"moz_cookies\",\"Login Data\")) OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"eyJ\") OR (#cmdline contains \"com.apple.quarantine\" AND #cmdline contains \"-d\") OR (src.process.name = \"spctl\" AND src.process.cmdline contains:anycase \"--master-disable\") OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"erase\" AND src.process.cmdline contains:anycase \"--all\") OR (src.process.name = \"csrutil\" AND src.process.cmdline contains:anycase \"disable\") OR (src.process.name = \"sfltool\" AND src.process.cmdline contains:anycase \"resetbtm\") OR (src.process.name = \"ssh-keygen\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.name = \"tclsh\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.cmdline contains:anycase \"LoginHook\") OR (src.process.name = \"sysadminctl\" AND src.process.cmdline contains:anycase (\"-addUser\",\"-resetPasswordFor\",\"-smbGuestAccess\",\"-afpGuestAccess\")) OR (src.process.name = \"networksetup\" AND src.process.cmdline contains:anycase (\"-setwebproxy\",\"-setsecurewebproxy\",\"-setautoproxyurl\")) OR (src.process.name = \"systemsetup\" AND src.process.cmdline contains:anycase (\"-setremotelogin\",\"-setremoteappleevents\")))\n\| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n\| let _firstSeenNs = _FirstSeenMs * 1000000\n\| let _lastSeenNs = _LastSeenMs * 1000000\n\| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n\| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, Count\n\| sort -Count\n\| limit 100000"
`466`	`471`	`}`
`467`	`472`	`]`