Detection rules › By event
ESF exec
Sigma (71)
- Atomic MacOS Stealer - FileGrabber Activity
- Axios NPM Compromise Indicators - macOS
- Binary Padding - MacOS
- Clipboard Access Via OSAScript
- Clipboard Data Collection Via Pbpaste
- Creation Of A Local User Account
- Credentials from Password Stores - Keychain
- Credentials In Files
- Decode Base64 Encoded Text -MacOs
- Disable Security Tools
- Disk Image Creation Via Hdiutil - MacOS
- Disk Image Mounting Via Hdiutil - MacOS
- File and Directory Discovery - MacOS
- File Download Via Nscurl - MacOS
- File Time Attribute Change
- Gatekeeper Bypass via Xattr
- Guest Account Enabled Via Sysadminctl
- GUI Input Capture - macOS
- Hidden Flag Set On File/Directory Via Chflags - MacOS
- Hidden User Creation
- Indicator Removal on Host - Clear Mac System Logs
- JAMF MDM Execution
- JAMF MDM Potential Suspicious Child Process
- JXA In-memory Execution Via OSAScript
- Launch Agent/Daemon Execution Via Launchctl
- Local Groups Discovery - MacOs
- Local System Accounts Discovery - MacOs
- macOS ESF Suspicious Process Execution
- MacOS Network Service Scanning
- Macos Remote System Discovery
- MacOS Scripting Interpreter AppleScript
- Network Sniffing - MacOs
- New File Exclusion Added To Time Machine Via Tmutil - MacOS
- Osacompile Execution By Potentially Suspicious Applet/Osascript
- OSACompile Run-Only Execution
- Payload Decoded and Decrypted via Built-in Utilities
- Potential Base64 Decoded From Images
- Potential Discovery Activity Using Find - MacOS
- Potential In-Memory Download And Compile Of Payloads
- Potential Persistence Via PlistBuddy
- Potential WizardUpdate Malware Infection
- Potential XCSSET Malware Infection
- Remote Access Tool - Potential MeshAgent Execution - MacOS
- Remote Access Tool - Renamed MeshAgent Execution - MacOS
- Remote Access Tool - Team Viewer Session Started On MacOS Host
- Root Account Enable Via Dsenableroot
- Scheduled Cron Task/Job - MacOs
- Screen Capture - macOS
- Security Software Discovery - MacOs
- Space After Filename - macOS
- Split A File Into Pieces
- Suspicious Browser Child Process - MacOS
- Suspicious Execution via macOS Script Editor
- Suspicious History File Operations
- Suspicious Installer Package Child Process
- Suspicious MacOS Firmware Activity
- Suspicious Microsoft Office Child Process - MacOS
- System Information Discovery Using Ioreg
- System Information Discovery Using sw_vers
- System Information Discovery Using System_Profiler
- System Information Discovery Via Sysctl - MacOS
- System Integrity Protection (SIP) Disabled
- System Integrity Protection (SIP) Enumeration
- System Network Connections Discovery - MacOs
- System Network Discovery - macOS
- System Shutdown/Reboot - MacOs
- Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- Time Machine Backup Disabled Via Tmutil - MacOS
- User Added To Admin Group Via Dscl
- User Added To Admin Group Via DseditGroup
- User Added To Admin Group Via Sysadminctl
Elastic (47)
- AWS SSM `SendCommand` with Run Shell Command Parameters
- AWS SSM Session Manager Child Process Execution
- Curl Execution via Shell Profile
- Curl or Wget Spawned via Node.js
- Data Encrypted via OpenSSL Utility
- Discovery Command Output Written to Suspicious File
- Dylib Injection via Process Environment Variables
- Execution via GitHub Actions Runner
- External IP Address Discovery via Curl
- Keychain CommandLine Interaction via Unsigned or Untrusted Process
- Keychain Password Retrieval via Command Line
- Kubectl Network Configuration Modification
- Kubectl Permission Discovery
- Kubectl Secrets Enumeration Across All Namespaces
- Kubernetes Direct API Request via Curl or Wget
- Manual Loading of a Suspicious Chromium Extension
- Network Connection to OAST Domain via Script Interpreter
- Node.js Pre or Post-Install Script Execution
- Pbpaste Execution via Unusual Parent Process
- Perl Outbound Network Connection
- Potential Data Exfiltration Through Curl
- Potential Git CVE-2025-48384 Exploitation
- Potential Impersonation Attempt via Kubectl
- Potential Kubectl Masquerading via Unexpected Process
- Privileged Container Creation with Host Directory Mount
- Processes with Trailing Spaces
- Prompt for Credentials with Osascript
- Remote GitHub Actions Runner Registration
- Script Interpreter Connection to Non-Standard Port
- Shell Execution via Apple Scripting
- SUID/SGID Bit Set
- Suspicious Curl from macOS Application
- Suspicious Curl to Jamf Endpoint
- Suspicious File Downloaded from Google Drive
- Suspicious Installer Package Spawns Network Event
- Suspicious macOS MS Office Child Process
- Suspicious Outbound Network Connection via Unsigned Binary
- Suspicious pbpaste High Volume Activity
- Suspicious Python Shell Command Execution
- Suspicious React Server Child Process
- Suspicious SIP Check by macOS Application
- System Hosts File Access
- Tampering of Shell Command-Line History
- Tampering with RUNNER_TRACKING_ID in GitHub Actions Runners
- Timestomping using Touch Command
- Trap Signals Execution
- WebProxy Settings Modification