splunk · patel-bhavin · May 5, 2025 · Apr 25, 2025 · Apr 25, 2025 · May 1, 2025
@@ -1,7 +1,7 @@
 name: MacOS - Re-opened Applications
 id: 40bb64f9-f619-4e3d-8732-328d40377c4b
 version: 5
-date: '2025-05-02'
+date: '2025-05-05'
 author: Jamie Windley, Splunk
 status: experimental
 type: TTP
@@ -31,9 +31,9 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
 known_false_positives: At this stage, there are no known false positives. During testing,
-  no process events refering the com.apple.loginwindow.plist files were observed during
-  normal operation of re-opening applications on reboot. Therefore, it can be asumed
-  that any occurences of this in the process events would be worth investigating.
+  no process events referring the com.apple.loginwindow.plist files were observed during
+  normal operation of re-opening applications on reboot. Therefore, it can be assumed
+  that any occurrences of this in the process events would be worth investigating.
   In the event that the legitimate modification by the system of these files is in
   fact logged to the process log, then the process_name of that process can be added
   to an allow list.

@@ -0,0 +1,79 @@
+name: MacOS AMOS Stealer - Virtual Machine Check Activity
+id: 4e41ad21-9761-426d-8aa1-083712ff9f30
+version: 1
+date: '2025-04-25'
+author: Nasreddine Bencherchali, Splunk, Alex Karkins
+status: production
+type: Anomaly
+description: |
+  The following analytic detects AMOS Stealer VM check activity on macOS. It leverages osquery to monitor process events and identifies the execution of the "osascript" command along with specific commandline strings. This activity is significant
+  as AMOS stealer was seen using this pattern in order to check if the host is a Virtual Machine or not. If confirmed malicious, this behavior indicate that the host is already infected by the AMOS stealer, which could allow attackers to execute arbitrary code, escalate privileges, steal information, or persist within the environment, posing a significant security risk.
+data_source:
+  - osquery
+search: |
+  `osquery_macro` name=es_process_events 
+  columns.cmdline="*osascript*" AND columns.cmdline="* -e *" AND columns.cmdline="*set*" AND columns.cmdline="*system_profiler*" AND columns.cmdline IN ("*VMware*", "*QEMU*") 
+  | rename columns.* as * 
+  | stats  min(_time) as firstTime max(_time) as lastTime 
+    values(cmdline) as cmdline, 
+    values(pid) as pid, 
+    values(parent) as parent, 
+    values(path) as path,
+    values(signing_id) as signing_id,  
+    by username host 
+  | rename 
+    username as user, 
+    cmdline as process, 
+    parent as parent_process, 
+    path as process_path, 
+    host as dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `macos_amos_stealer___virtual_machine_check_activity_filter`
+how_to_implement: |
+  This detection leverages osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.
+known_false_positives: None identified.
+references:
+  - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
+  - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522osascript%2520-e%2520set%2522%2520AND%2520behaviour_processes%253A%2522system_profiler%2522%2520AND%2520(behaviour_processes%253A%2522VMware%2522%2520OR%2520behaviour_processes%253A%2522QEMU%2522)?type=files
+drilldown_searches:
+  - name: View the detection results for - "$user$" and "$dest$"
+    search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+      "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: AMOS Stealer activity on host $dest$ by user $user$
+  risk_objects:
+    - field: user
+      type: user
+      score: 40
+    - field: dest
+      type: system
+      score: 40
+  threat_objects: []
+tags:
+  analytic_story:
+  - AMOS Stealer
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1059.002
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.log
+    source: osquery
+    sourcetype: osquery:results
@@ -1,7 +1,7 @@
 name: MacOS LOLbin
 id: 58d270fb-5b39-418e-a855-4b8ac046805e
 version: 7
-date: '2025-05-02'
+date: '2025-05-05'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -13,7 +13,8 @@ description: The following analytic detects multiple executions of Living off th
   detection. If confirmed malicious, this behavior could allow attackers to execute
   arbitrary code, escalate privileges, or persist within the environment, posing a
   significant security risk.
-data_source: []
+data_source:
+- osquery
 search: '`osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*",
   "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*") | rename
   columns.* as * | stats  min(_time) as firstTime max(_time) as lastTime values(cmdline)

@@ -0,0 +1,18 @@
+name: AMOS Stealer
+id: b12e5c84-75a0-3a79-9403-e35c9fe3485c
+version: 1
+date: '2025-05-05'
+author: Nasreddine Bencherchali, Splunk
+status: production
+description: The AMOS Stealer analytic story provides detection and investigation content for identifying and responding to threats associated with the AMOS information stealer on Mac systems. AMOS (Atomic macOS Stealer) is a known malware family designed specifically for MacOS, capable of stealing credentials, system information, and browser data. This story leverages analytics using osquery data to detect suspicious behavior consistent with AMOS, including VM detection commands used to evade analysis environments. Security teams can use the searches in this story to identify and respond to signs of AMOS compromise in their MacOS fleet.
+narrative: AMOS Stealer (Atomic macOS Stealer) is an active threat targeting macOS users, capable of harvesting sensitive data, executing scripts, and conducting system reconnaissance to evade detection. It is typically distributed through malicious downloads or phishing campaigns. Once executed, AMOS performs a variety of checks to determine whether it is running in a virtualized environment before proceeding with its payload. One notable technique involves using `osascript` with AppleScript commands to enumerate virtualization indicators like VMware and QEMU. This analytic story focuses on detecting these early-stage behaviors using `osquery` data. Detecting AMOS behavior early in its execution phase gives defenders the opportunity to isolate affected hosts, investigate lateral movement or privilege escalation attempts, and mitigate data exfiltration risk.
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/osx.amos
+tags:
+  category:
+  - Malware
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection