Skip to content

Ioc#59

Merged
jsirianni merged 8 commits intomainfrom
ioc
Feb 12, 2026
Merged

Ioc#59
jsirianni merged 8 commits intomainfrom
ioc

Conversation

@itonyr
Copy link
Contributor

@itonyr itonyr commented Jan 28, 2026
edited
Loading

Proposed Change

Add a data source that will generate MacOS Unified Logging commands that demonstrate Indicators of Compromise. This includes:

  • IP's that are listed on the Abusedb
  • Behaviors that demonstrate the MITRE ATT&CK Technique with ID T1649 on MacOS. Specifically, it demonstrates the behavior outlined in detection strategy DET0349.
AN0992
Detect suspicious file creations and process executions triggered by browser activity (e.g., injected payloads written to %AppData% or Temp directories, then executed). 

Correlate network anomalies with subsequent local process creation or script execution. 

AN0993 
Detect curl/wget commands saving executable/script payloads to /tmp or /var/tmp followed by execution. Monitor packet captures or IDS/IPS alerts for injected responses or mismatched content types. 

AN0994 
Monitor unified logs for processes spawned from Safari or other browsers that immediately load scripts or executables. Detect file drops in ~/Library/Caches or ~/Downloads that execute shortly after being written

More IOC's to be added for UL.

Checklist
  • Changes are tested
  • CI has passed

@itonyr itonyr requested a review from a team as a code owner January 28, 2026 16:22
Dylan-M
Dylan-M requested changes Jan 28, 2026
View reviewed changes
Dylan-M
Dylan-M reviewed Jan 28, 2026
View reviewed changes
data_library/ioc/ul.log Outdated
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},

Copy link
Collaborator

@Dylan-M Dylan-M Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another thing I noticed is that sometimes you have extra newlines. I don't know how that will affect the generator. I designed it with the sample files all not having them.

Copy link
Contributor Author

@itonyr itonyr Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It handled them well when I ran it, this was to let me separate between IOC's and fake log data visually. I can remove it but didn't run into issues AFAIK. Testing again now.

Copy link
Collaborator

@Dylan-M Dylan-M Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you just need to address the PR feedback.

Copy link
Contributor Author

@itonyr itonyr Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should be all set but do we need a trailing new line? I see a lot of the others have it

Copy link
Collaborator

@Dylan-M Dylan-M Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it matters, any more than your extra newlines mattered (I wasn't sure if they did or not, you could keep them so long as it works)

It was the other PR feedback I meant needed addressed.

@jsirianni
Copy link
Member

jsirianni commented Feb 10, 2026

Do we still need this?

@Dylan-M
Copy link
Collaborator

Dylan-M commented Feb 11, 2026

Do we still need this?

You may want to ping Tony on Slack

@jsirianni jsirianni added this pull request to the merge queue Feb 12, 2026
Merged via the queue into main with commit c708386 Feb 12, 2026
16 checks passed
@jsirianni jsirianni deleted the ioc branch February 12, 2026 14:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Dylan-M Dylan-M Dylan-M approved these changes

@jsirianni jsirianni jsirianni approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@itonyr @jsirianni @Dylan-M

Comments