Skip to content

Commit cb48e92

Browse files
LasCCLasCC
committed
fix: use correct endpoint.os value "osx" for macOS queries
1 parent bf42012 commit cb48e92

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

s1_powerquery_hunting.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -467,6 +467,6 @@
467467
{
468468
"category": "macOS",
469469
"name": "macOS LOOBins - Living Off the Orchard (High Confidence)",
470-
"query": "endpoint.os = \"macos\" AND ((src.process.name = \"security\" AND src.process.cmdline contains:anycase \"dump-keychain\") OR (src.process.name = \"security\" AND src.process.cmdline contains:anycase \"find-generic-password\" AND src.process.cmdline contains:anycase \"Chrome Safe Storage\") OR (src.process.name = \"osascript\" AND src.process.cmdline contains:anycase \"display dialog\" AND src.process.cmdline contains:anycase (\"password\",\"keychain\",\"credential\",\"login\",\"authentif\")) OR (src.process.name = \"sqlite3\" AND src.process.cmdline contains:anycase (\"cookies.sqlite\",\"moz_cookies\",\"Login Data\")) OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"eyJ\") OR (#cmdline contains \"com.apple.quarantine\" AND #cmdline contains \"-d\") OR (src.process.name = \"spctl\" AND src.process.cmdline contains:anycase \"--master-disable\") OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"erase\" AND src.process.cmdline contains:anycase \"--all\") OR (src.process.name = \"csrutil\" AND src.process.cmdline contains:anycase \"disable\") OR (src.process.name = \"sfltool\" AND src.process.cmdline contains:anycase \"resetbtm\") OR (src.process.name = \"ssh-keygen\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.name = \"tclsh\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.cmdline contains:anycase \"LoginHook\") OR (src.process.name = \"sysadminctl\" AND src.process.cmdline contains:anycase (\"-addUser\",\"-resetPasswordFor\",\"-smbGuestAccess\",\"-afpGuestAccess\")) OR (src.process.name = \"networksetup\" AND src.process.cmdline contains:anycase (\"-setwebproxy\",\"-setsecurewebproxy\",\"-setautoproxyurl\")) OR (src.process.name = \"systemsetup\" AND src.process.cmdline contains:anycase (\"-setremotelogin\",\"-setremoteappleevents\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, Count\n| sort -Count\n| limit 100000"
470+
"query": "endpoint.os = \"osx\" AND ((src.process.name = \"security\" AND src.process.cmdline contains:anycase \"dump-keychain\") OR (src.process.name = \"security\" AND src.process.cmdline contains:anycase \"find-generic-password\" AND src.process.cmdline contains:anycase \"Chrome Safe Storage\") OR (src.process.name = \"osascript\" AND src.process.cmdline contains:anycase \"display dialog\" AND src.process.cmdline contains:anycase (\"password\",\"keychain\",\"credential\",\"login\",\"authentif\")) OR (src.process.name = \"sqlite3\" AND src.process.cmdline contains:anycase (\"cookies.sqlite\",\"moz_cookies\",\"Login Data\")) OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"eyJ\") OR (#cmdline contains \"com.apple.quarantine\" AND #cmdline contains \"-d\") OR (src.process.name = \"spctl\" AND src.process.cmdline contains:anycase \"--master-disable\") OR (src.process.name = \"log\" AND src.process.cmdline contains:anycase \"erase\" AND src.process.cmdline contains:anycase \"--all\") OR (src.process.name = \"csrutil\" AND src.process.cmdline contains:anycase \"disable\") OR (src.process.name = \"sfltool\" AND src.process.cmdline contains:anycase \"resetbtm\") OR (src.process.name = \"ssh-keygen\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.name = \"tclsh\" AND src.process.cmdline contains:anycase \".dylib\") OR (src.process.cmdline contains:anycase \"LoginHook\") OR (src.process.name = \"sysadminctl\" AND src.process.cmdline contains:anycase (\"-addUser\",\"-resetPasswordFor\",\"-smbGuestAccess\",\"-afpGuestAccess\")) OR (src.process.name = \"networksetup\" AND src.process.cmdline contains:anycase (\"-setwebproxy\",\"-setsecurewebproxy\",\"-setautoproxyurl\")) OR (src.process.name = \"systemsetup\" AND src.process.cmdline contains:anycase (\"-setremotelogin\",\"-setremoteappleevents\")))\n| group _FirstSeenMs=min(event.time), _LastSeenMs=max(event.time), Count=count(), UniqueSrcCmdlines=array_agg_distinct(src.process.cmdline) by endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified\n| let _firstSeenNs = _FirstSeenMs * 1000000\n| let _lastSeenNs = _LastSeenMs * 1000000\n| let AllSrcCmdlines = UniqueSrcCmdlines.to_string(', ')\n| columns \"first.timestamp\" = _firstSeenNs, \"last.timestamp\" = _lastSeenNs, endpoint.name, src.process.user, src.process.parent.name, src.process.name, src.process.verified, AllSrcCmdlines, Count\n| sort -Count\n| limit 100000"
471471
}
472472
]

0 commit comments

Comments
 (0)