1{
2  "author": [
3    "Elastic"
4  ],
5  "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.",
6  "from": "now-9m",
7  "index": [
8    "auditbeat-*",
9    "logs-endpoint.events.*"
10  ],
11  "language": "kuery",
12  "license": "Elastic License v2",
13  "name": "Suspicious Hidden Child Process of Launchd",
14  "query": "event.category:process and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n",
15  "references": [
16    "https://objective-see.com/blog/blog_0x61.html",
17    "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
18    "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html"
19  ],
20  "risk_score": 47,
21  "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb",
22  "severity": "medium",
23  "tags": [
24    "Elastic",
25    "Host",
26    "macOS",
27    "Threat Detection",
28    "Persistence",
29    "Defense Evasion"
30  ],
31  "threat": [
32    {
33      "framework": "MITRE ATT&CK",
34      "tactic": {
35        "id": "TA0003",
36        "name": "Persistence",
37        "reference": "https://attack.mitre.org/tactics/TA0003/"
38      },
39      "technique": [
40        {
41          "id": "T1543",
42          "name": "Create or Modify System Process",
43          "reference": "https://attack.mitre.org/techniques/T1543/",
44          "subtechnique": [
45            {
46              "id": "T1543.001",
47              "name": "Launch Agent",
48              "reference": "https://attack.mitre.org/techniques/T1543/001/"
49            }
50          ]
51        }
52      ]
53    },
54    {
55      "framework": "MITRE ATT&CK",
56      "tactic": {
57        "id": "TA0005",
58        "name": "Defense Evasion",
59        "reference": "https://attack.mitre.org/tactics/TA0005/"
60      },
61      "technique": [
62        {
63          "id": "T1564",
64          "name": "Hide Artifacts",
65          "reference": "https://attack.mitre.org/techniques/T1564/",
66          "subtechnique": [
67            {
68              "id": "T1564.001",
69              "name": "Hidden Files and Directories",
70              "reference": "https://attack.mitre.org/techniques/T1564/001/"
71            }
72          ]
73        }
74      ]
75    }
76  ],
77  "timestamp_override": "event.ingested",
78  "type": "query",
79  "version": 1
80}
81