1{ 2 "author": [ 3 "Elastic" 4 ], 5 "description": "Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.", 6 "from": "now-9m", 7 "index": [ 8 "auditbeat-*", 9 "logs-endpoint.events.*" 10 ], 11 "language": "kuery", 12 "license": "Elastic License v2", 13 "name": "Suspicious Hidden Child Process of Launchd", 14 "query": "event.category:process and event.type:(start or process_started) and\n process.name:.* and process.parent.executable:/sbin/launchd\n", 15 "references": [ 16 "https://objective-see.com/blog/blog_0x61.html", 17 "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/", 18 "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html" 19 ], 20 "risk_score": 47, 21 "rule_id": "083fa162-e790-4d85-9aeb-4fea04188adb", 22 "severity": "medium", 23 "tags": [ 24 "Elastic", 25 "Host", 26 "macOS", 27 "Threat Detection", 28 "Persistence", 29 "Defense Evasion" 30 ], 31 "threat": [ 32 { 33 "framework": "MITRE ATT&CK", 34 "tactic": { 35 "id": "TA0003", 36 "name": "Persistence", 37 "reference": "https://attack.mitre.org/tactics/TA0003/" 38 }, 39 "technique": [ 40 { 41 "id": "T1543", 42 "name": "Create or Modify System Process", 43 "reference": "https://attack.mitre.org/techniques/T1543/", 44 "subtechnique": [ 45 { 46 "id": "T1543.001", 47 "name": "Launch Agent", 48 "reference": "https://attack.mitre.org/techniques/T1543/001/" 49 } 50 ] 51 } 52 ] 53 }, 54 { 55 "framework": "MITRE ATT&CK", 56 "tactic": { 57 "id": "TA0005", 58 "name": "Defense Evasion", 59 "reference": "https://attack.mitre.org/tactics/TA0005/" 60 }, 61 "technique": [ 62 { 63 "id": "T1564", 64 "name": "Hide Artifacts", 65 "reference": "https://attack.mitre.org/techniques/T1564/", 66 "subtechnique": [ 67 { 68 "id": "T1564.001", 69 "name": "Hidden Files and Directories", 70 "reference": "https://attack.mitre.org/techniques/T1564/001/" 71 } 72 ] 73 } 74 ] 75 } 76 ], 77 "timestamp_override": "event.ingested", 78 "type": "query", 79 "version": 1 80} 81