agentic-threat-hunting-framework 0.2.3__py3-none-any.whl → 0.3.0__py3-none-any.whl

athf/data/hunts/H-0001.md

@@ -0,0 +1,453 @@
+---
+hunt_id: H-0001
+title: macOS Data Collection via AppleScript Detection
+status: completed
+date: 2025-11-19
+hunter: [Your Name]
+platform: [macOS]
+tactics: [collection]
+techniques: [T1005, T1059.002, T1555.003]
+data_sources: [macOS Unified Logging, EDR, File Access Logs]
+related_hunts: []
+findings_count: 3
+true_positives: 1
+false_positives: 1
+customer_deliverables: []
+tags: [macos, applescript, information-stealer, cookies, safari, notes, atomic-stealer]
+---
+
+# H-0001: macOS Data Collection via AppleScript Detection
+
+**Hunt Metadata**
+
+- **Date:** 2025-11-19
+- **Hunter:** [Your Name]
+- **Status:** Completed
+- **MITRE ATT&CK:** T1005 - Data from Local System
+
+---
+
+## LEARN: Prepare the Hunt
+
+### Hypothesis Statement
+
+Adversaries use AppleScript to collect sensitive user data on macOS systems. You can observe this activity when osascript processes run “duplicate file” commands or when non-browser processes access Safari cookie files, Notes databases, or large batches of user documents. Adversaries typically stage the collected data in temporary directories such as /tmp or /var/folders within short timeframes.
+
+### Threat Context
+
+Atomic Stealer and similar macOS information stealers use AppleScript commands to collect sensitive data from infected systems.. This behavior maps to **T1005 - Data from Local System** under the **Collection** tactic (TA0009).
+
+The malware targets high-value data through automated file duplication:
+
+**Safari Cookies Theft:**
+
+- Target: `~/Library/Cookies/Cookies.binarycookies`
+- Method: `duplicate file "Cookies.binarycookies" of folder safariFolder to folder baseFolderPath with replacing`
+- Value: Session tokens, authentication cookies for credential theft
+
+**Notes Application Data:**
+
+- Targets: `NoteStore.sqlite`, `NoteStore.sqlite-shm`, `NoteStore.sqlite-wal`
+- Location: `~/Library/Group Containers/group.com.apple.notes/`
+- Value: Personal notes may contain passwords, API keys, sensitive information
+
+**Document Collection:**
+
+- Targets: Desktop and Documents directories
+- Filtering: Specific extensions (pdf, docx, txt, xlsx) and file size limits (≤50KB)
+- Pattern: Recursive iteration with selective copying
+
+```applescript
+repeat with aFile in (desktopFiles & documentsFiles)
+  if fileExtension is in extensionsList and fileSize ≤ 51200 then
+    duplicate aFile to folder fileGrabberFolderPath with replacing
+  end if
+end repeat
+```
+
+**Common adversary characteristics:**
+
+- Automated execution via AppleScript or osascript
+- Staging data in temporary directories (/tmp, /var/folders, hidden folders)
+- Targeted file selection (avoiding large files to reduce exfiltration time)
+- Systematic enumeration of user data locations
+- Often distributed via malicious DMG files or trojanized applications
+
+### ABLE Scoping
+
+Define your hunt scope using the ABLE framework:
+
+| **Field**   | **Your Input** |
+|-------------|----------------|
+| **Actor** *(Optional)* | Atomic Stealer operators, macOS-targeting cybercrime groups - Focus on behavior patterns applicable across multiple info stealer families |
+| **Behavior** | AppleScript-based file duplication and collection (T1005 - Data from Local System) targeting browser data, application databases, and user documents |
+| **Location** | macOS endpoints: employee laptops, development machines, executive systems with access to sensitive corporate data |
+| **Evidence** | **Source:** macOS Unified Logging (log show), EDR process/file telemetry<br>**Key Fields:** process_name (osascript, AppleScript), command_line, file_path, file_operation_type<br>**Example:** osascript executing "duplicate file" commands targeting Cookies.binarycookies or bulk file operations from ~/Documents<br><br>**Source:** File access logs (if deployed via EDR)<br>**Key Fields:** source_path, destination_path, process_name, user<br>**Example:** Multiple file copies from ~/Library/Cookies/ or ~/Library/Group Containers/.../NoteStore.sqlite to /tmp or hidden staging directories |
+
+### Threat Intel & Research
+
+- **MITRE ATT&CK Techniques:**
+  - `T1005 - Data from Local System` (primary)
+  - `T1113 - Screen Capture` (often used in combination)
+  - `T1555.003 - Credentials from Web Browsers` (follow-on to cookie theft)
+  - `T1059.002 - Command and Scripting Interpreter: AppleScript` (execution method)
+  - `T1041 - Exfiltration Over C2 Channel` (post-collection phase)
+- **CTI Sources & References:**
+  - [MITRE ATT&CK - T1005](https://attack.mitre.org/techniques/T1005/)
+  - [Atomic Stealer Analysis - Malwarebytes](https://www.malwarebytes.com/blog/news/2023/04/atomic-stealer-threat-intelligence)
+  - [macOS Information Stealers - Objective-See](https://objective-see.org/blog/blog_0x73.html)
+  - Atomic Stealer (AMOS), MacStealer, Cuckoo Stealer use similar AppleScript-based collection
+- **Historical Context:**
+  - Atomic Stealer first observed in Q1 2023, actively sold on cybercrime forums
+  - Targets primarily cryptocurrency users but collects broad credential data
+  - macOS information stealers increasing 300% year-over-year (2022-2023)
+  - Often distributed via fake software updates, trojanized productivity apps, or malvertising
+
+### Related Tickets
+
+| **Team** | **Ticket/Details** |
+|----------|-------------------|
+| **SOC/IR** | N/A - Proactive threat hunt |
+| **Threat Intel** | TI-0112 - macOS malware campaign tracking |
+| **Detection Engineering** | DET-0078 - Improve macOS endpoint visibility |
+| **Other** | INFRA-1890 - Deploy enhanced macOS logging across corporate fleet |
+
+---
+
+## OBSERVE: Expected Behaviors
+
+### What Normal Looks Like
+
+Legitimate file operations on macOS that should not trigger alerts:
+
+- **Backup software** (Time Machine, Carbon Copy Cloner, SuperDuper!) accessing user files during scheduled backups
+- **Cloud sync clients** (iCloud, Dropbox, Google Drive) reading browser data for sync or backup
+- **User-initiated file operations**: Manual copying of documents between folders via Finder
+- **Developer tools**: IDEs or build tools reading/copying files within project directories
+- **System utilities**: Spotlight indexing, mds and mdworker processes accessing files for search indexing
+- **Migration Assistant**: During system migration or user profile transfers
+- **Anti-virus/security tools**: Scanning files including browser data stores (with expected process signatures)
+
+### What Suspicious Looks Like
+
+Adversaries using AppleScript or automated file operations will exhibit distinct patterns:
+
+1. **AppleScript file duplication commands** - Execution of `osascript` or AppleScript runner processes with "duplicate file" commands targeting specific high-value files
+2. **Targeted browser data access** - Non-browser processes (not Safari, Chrome, Firefox) reading Cookies.binarycookies, Login Data, or other credential stores
+3. **Notes database access** - Processes other than Notes.app accessing NoteStore.sqlite files
+4. **Bulk document enumeration** - Systematic iteration through Desktop and Documents directories with file filtering by extension/size
+5. **Staging directory creation** - Files copied to unusual locations (/tmp, /var/folders, hidden directories like ~/.hidden_data)
+6. **Rapid sequential file operations** - Multiple file copies from different sensitive locations within short timeframe (<5 minutes)
+7. **Unsigned or recently modified processes** - File operations performed by unsigned binaries or executables with recent timestamps
+
+### Expected Observables
+
+- **Processes:** osascript, com.apple.AppleScript runner, suspicious unsigned binaries, processes spawned from downloaded DMG files
+- **Network:** Post-collection outbound HTTPS connections to C2 infrastructure, uploads to file sharing services, suspicious TLS certificates
+- **Files:**
+  - Copies of Cookies.binarycookies in non-standard locations
+  - Copies of NoteStore.sqlite* files outside Notes app directory
+  - Archives (zip, tar) created in staging directories containing user documents
+  - Newly created hidden directories or folders with randomized names
+- **Registry:** N/A (macOS-based hunt)
+- **Authentication:** Potential execution via compromised user accounts, LaunchAgents for persistence
+
+---
+
+## CHECK: Execute & Analyze
+
+### Data Source Information
+
+- **Index/Data Source:** macOS Unified Logging (log show), EDR telemetry (CrowdStrike, SentinelOne, Jamf Protect), file access audit logs
+- **Time Range:** Last 7 days (2025-11-12 00:00:00 to 2025-11-19 23:59:59)
+- **Events Analyzed:** ~500,000 process execution events, ~2M file operation events
+- **Data Quality:** Fair - EDR deployed on 70% of macOS fleet. Unified Logging available on all systems but requires targeted queries. No auditd on macOS by default.
+
+### Hunting Queries
+
+#### Initial Query: AppleScript File Duplication Operations
+
+```bash
+# Query macOS Unified Logging for osascript file duplication commands
+# Requires access to target macOS systems or centralized log collection
+log show --predicate 'process == "osascript" AND eventMessage CONTAINS "duplicate"' \
+  --info --debug \
+  --start '2025-11-12 00:00:00' \
+  --end '2025-11-19 23:59:59'
+```
+
+**Alternative EDR Query (Splunk/Elastic syntax):**
+
+```spl
+# Search for osascript or AppleScript processes with suspicious file operations
+index=edr_mac sourcetype=process_execution (process_name="osascript" OR process_name="AppleScript") (command_line="*duplicate file*" OR command_line="*Cookies.binarycookies*" OR command_line="*NoteStore.sqlite*")
+| stats count by _time, hostname, user, process_name, command_line, parent_process
+| sort -_time
+```
+
+**Query Notes:**
+
+- Returned 3 osascript executions with "duplicate file" commands
+- 2 events were legitimate backup scripts (known parent process: CCC, signed)
+- 1 suspicious event: osascript from unsigned binary with no parent process context
+- Challenge: AppleScript commands often obfuscated or executed indirectly
+- Many legitimate uses of osascript for automation require careful filtering
+
+#### Refined Query: Sensitive File Access by Non-Owner Processes
+
+```spl
+# Identify non-browser processes accessing browser credential stores
+# Optimized: All filters in base search for maximum efficiency
+index=edr_mac sourcetype=file_access
+(file_path="*/Library/Cookies/Cookies.binarycookies"
+    OR file_path="*/Library/Group Containers/*/NoteStore.sqlite*"
+    OR file_path="*/Library/Application Support/Google/Chrome/*/Login Data"
+    OR file_path="*/Library/Keychains/*")
+NOT (process_name IN ("Safari", "Google Chrome", "Firefox", "Notes", "securityd", "cloudd"))
+| stats count as access_count,
+        values(file_path) as accessed_files,
+        earliest(_time) as first_access,
+        latest(_time) as last_access
+        by hostname, user, process_name, process_path, process_signature
+| where access_count > 2
+| eval timespan=last_access-first_access
+| where timespan < 300 OR process_signature="unsigned"
+| sort -access_count
+```
+
+**Refinement Rationale:**
+
+- Shifted from looking for specific AppleScript commands to behavior-based detection
+- Focus on "wrong process accessing sensitive files" pattern
+- Filter out legitimate browser processes and system daemons
+- Added signature check to identify unsigned/untrusted binaries
+- Timespan filter identifies rapid sequential access (automated collection)
+- Threshold (>2 accesses) reduces noise while catching systematic collection
+
+### Visualization & Analytics
+
+- **Timeline:** File access events over 7 days show normal backup patterns (nightly), suspicious spike at 14:23 on 2025-11-15 (bulk access in 2-minute window)
+- **Heatmap:** Hostname vs. accessed file paths reveals one system (MAC-EXE-042) accessing all target file types
+- **Process tree:** Suspicious osascript spawned from unsigned binary in /tmp, not from Terminal or user automation
+- **Geolocation:** Post-collection network connection to IP in Eastern Europe (not correlated with VPN usage)
+
+### Query Performance
+
+**What Worked Well:**
+
+- EDR file access telemetry provided granular visibility into file operations
+- Filtering by process signature (unsigned) effectively identified suspicious activity
+- Excluding legitimate browser processes reduced false positives by 90%
+- Timespan analysis (rapid sequential access) isolated automated collection from normal user behavior
+- Unified Logging queries captured AppleScript execution context when available
+
+**What Didn't Work:**
+
+- Initial query too narrow (AppleScript-specific) - missed compiled malware using native file APIs
+- Many legitimate automation tools use osascript, generating high false positive rate
+- macOS Unified Logging verbose and requires system-by-system queries (not centralized by default)
+- Limited visibility on 30% of fleet without EDR deployment
+- Obfuscated AppleScript or compiled .scpt files difficult to inspect without file forensics
+
+**Iterations Made:**
+
+- Iteration 1: Changed from AppleScript-only to behavior-based (file access patterns)
+- Iteration 2: Added process signature validation to prioritize unsigned binaries
+- Iteration 3: Implemented timespan filter (<5 min) to detect rapid collection
+- Iteration 4: Expanded file paths to include Chrome Login Data and Keychain files
+- Iteration 5: Created whitelist for legitimate system processes (backup tools, cloud sync)
+
+---
+
+## KEEP: Findings & Response
+
+### Executive Summary
+
+This hunt reviewed macOS data collection activity (T1005) across seven days. We analyzed 500,000 process execution events and 2 million file operations. We identified one confirmed instance of information-stealing behavior on executive system MAC-EXE-042. We confirmed the hypothesis when an unsigned binary ran AppleScript commands that duplicated Safari cookies, Notes databases, and filtered documents into /tmp. The malware attempted to exfiltrate the data to an external IP address. Our detection system flagged the activity before the exfiltration completed. We caught the data theft during the collection phase.
+
+### Findings
+
+| **Finding** | **Ticket** | **Description** |
+|-------------|-----------|-----------------|
+| True Positive | SOC-2915 | Unsigned binary "/tmp/.system_cache/updater" accessed Safari cookies, Notes data, and 47 user documents on MAC-EXE-042 between 14:23-14:25 UTC on 2025-11-15 - confirmed information stealer |
+| True Positive | SOC-2915 | Same binary attempted outbound HTTPS connection to 185.xxx.xxx.45 (flagged as C2 infrastructure) immediately after file collection |
+| True Positive | N/A | Legitimate backup software (Carbon Copy Cloner) accessing similar files during scheduled 02:00 backup - benign, whitelisted |
+| False Positive | N/A | Developer IDE (VS Code) accessing user documents for recent files list - legitimate, low access volume |
+| Suspicious | SOC-2916 | System MAC-DEV-089 showed unusual osascript execution from Downloads folder, requires investigation |
+
+**True Positives:** 1 confirmed information stealer (high severity)
+**False Positives:** 1 legitimate developer tool behavior
+**Suspicious Events:** 1 requiring follow-up investigation
+
+### Detection Logic
+
+**Automation Opportunity:**
+
+This hunt can be converted to an automated detection rule with the following logic:
+
+- Alert on non-browser processes accessing browser credential stores (Cookies, Login Data, Keychain)
+- Alert on unsigned binaries accessing ≥3 different sensitive file types within 5 minutes
+- Alert on file operations from /tmp, /var/folders followed by external network connections
+- Whitelist known-good backup software and cloud sync clients by process signature
+- Critical alert when file collection followed by connection to newly-seen external IPs
+
+**Proposed Detection:**
+
+```spl
+# Automated macOS Information Stealer Detection Rule
+# Run every 15 minutes, alert on suspicious file access patterns
+# Optimized: All filters in base search for maximum efficiency
+index=edr_mac sourcetype=file_access earliest=-15m
+(file_path="*/Library/Cookies/Cookies.binarycookies"
+    OR file_path="*/Library/Group Containers/*/NoteStore.sqlite*"
+    OR file_path="*/Library/Application Support/Google/Chrome/*/Login Data"
+    OR file_path="*/Library/Keychains/*"
+    OR file_path="*/Documents/*"
+    OR file_path="*/Desktop/*")
+NOT process_name IN ("Safari", "Google Chrome", "Firefox", "Notes", "securityd", "cloudd", "mds", "mdworker")
+| stats dc(file_path) as unique_files,
+        values(file_path) as accessed_files,
+        earliest(_time) as first_access,
+        latest(_time) as last_access,
+        values(process_signature) as signature
+        by hostname, user, process_name, process_path
+| where unique_files >= 3
+| eval timespan=last_access-first_access
+| where timespan < 300
+| lookup known_backup_tools process_name OUTPUT is_backup_tool
+| where isnull(is_backup_tool) OR signature="unsigned"
+| join type=left hostname process_name [
+    search index=edr_mac sourcetype=network earliest=-15m
+    dest_ip!=10.* dest_ip!=172.16.* dest_ip!=192.168.*
+    | stats values(dest_ip) as external_connections by hostname, process_name
+]
+| eval severity=if(isnotnull(external_connections) AND signature="unsigned", "critical", "high")
+| eval description="Potential information stealer: ".process_name." accessed ".unique_files." sensitive files in ".timespan."s"
+| table _time, severity, hostname, user, process_name, process_path, unique_files, accessed_files, signature, external_connections, description
+```
+
+### Lessons Learned
+
+**What Worked Well:**
+
+- EDR file access telemetry provided excellent visibility into file operations on covered systems
+- Behavior-based detection (access patterns) more effective than signature-based (AppleScript strings)
+- Process signature validation quickly identified unsigned malicious binaries
+- Timespan analysis effectively distinguished automated collection from normal user behavior
+- Correlation with network connections confirmed exfiltration attempt, raising severity
+
+**What Could Be Improved:**
+
+- Initial AppleScript-focused queries too narrow, missed non-AppleScript collection methods
+- Need better centralization of macOS Unified Logging for fleet-wide queries
+- Whitelisting of legitimate tools required multiple refinement iterations
+- Obfuscated or compiled AppleScript difficult to detect without decompilation
+- EDR coverage at 70% leaves blind spots on 30% of fleet
+
+**Telemetry Gaps Identified:**
+
+- 30% of macOS fleet lacks EDR deployment (older systems, contractor machines)
+- macOS Unified Logging not centrally collected (requires per-system queries)
+- File access logs not enabled on systems without EDR (native macOS auditing limited)
+- No automatic detonation/sandbox for suspicious AppleScript files
+- Browser credential store integrity monitoring not implemented
+
+### Follow-up Actions
+
+- [x] Escalate SOC-2915 to incident response for full forensic investigation of MAC-EXE-042
+- [x] Isolate MAC-EXE-042 from network, preserve memory and disk for forensics
+- [x] Block external IP 185.xxx.xxx.45 at perimeter firewall and proxy
+- [x] Investigate SOC-2916 (osascript from Downloads folder on MAC-DEV-089)
+- [ ] Deploy EDR to remaining 30% of macOS fleet (target: 2025-12-01) - INFRA-1890
+- [ ] Implement automated detection rule from hunt logic (target: 2025-11-22) - DET-0078
+- [ ] Create whitelist of known-good backup and sync tools by process signature - DET-0079
+- [ ] Enable centralized collection of macOS Unified Logging for fleet-wide hunting - INFRA-1891
+- [ ] Document macOS information stealer detection playbook for SOC analysts
+- [ ] Conduct security awareness training on macOS malware risks (fake software updates)
+- [ ] Review and harden macOS endpoint security controls (Gatekeeper, XProtect, MRT)
+
+### Follow-up Hunts
+
+- H-0003: macOS Keychain Access Abuse Detection (T1555.001)
+- H-0004: macOS Screen Capture and Recording Abuse (T1113)
+- H-0005: macOS Browser Extension Abuse for Credential Theft (T1176)
+- H-0006: macOS LaunchAgent/LaunchDaemon Persistence (T1543.001)
+- H-0007: Data Exfiltration from macOS Staging Directories (T1041)
+- H-0008: macOS DMG and PKG Trojanized Application Detection
+
+---
+
+## 📊 Results Showcase
+
+### Detection Timeline
+
+```
+2025-11-15 14:23:18 UTC - Initial AppleScript execution detected
+                         └─> Unsigned binary "/tmp/.system_cache/updater" started
+
+2025-11-15 14:23:45 UTC - Bulk file access begins
+                         └─> Safari Cookies.binarycookies accessed
+                         └─> Notes NoteStore.sqlite accessed
+                         └─> 47 documents from ~/Documents copied
+
+2025-11-15 14:24:05 UTC - EDR behavioral analysis confirms data collection pattern
+                         └─> 3 sensitive file types accessed in < 2 minutes
+                         └─> Files staged in /tmp directory
+
+2025-11-15 14:24:15 UTC - EDR blocks network connection attempt
+                         └─> Outbound connection to 185.xxx.xxx.45:443
+                         └─> Host automatically isolated from network
+
+2025-11-15 14:26:12 UTC - Analyst investigation begins
+                         └─> Hash lookup: Atomic Stealer variant confirmed
+                         └─> Incident SOC-2915 created
+```
+
+### Query Evolution
+
+**Iteration 1:** AppleScript-specific detection (Too narrow)
+- Query: `process_name="osascript" AND command_line="*duplicate*"`
+- **Results:** 247 events - mostly legitimate automation scripts
+- **Problem:** Missed compiled malware using native file APIs
+
+**Iteration 2:** File access patterns (Better, still noisy)
+- Query: File access to sensitive paths by any process
+- **Results:** 12 events - included backup software, developer tools
+- **Problem:** Too many false positives from legitimate tools
+
+**Iteration 3:** Behavioral + signature analysis (Success!)
+- Query: Unsigned processes accessing 3+ sensitive file types in < 5 minutes
+- **Results:** 1 true positive, 0 false positives
+- **Success:** Caught Atomic Stealer during collection phase
+
+### Impact Metrics
+
+| Metric | Value |
+|--------|-------|
+| **Time to Detection** | 2 minutes from initial execution |
+| **Time to Containment** | 4 minutes (automated EDR isolation) |
+| **Analyst Time Saved** | ~45 minutes (behavioral detection + auto-response) |
+| **Data Protected** | 47 documents, browser cookies, Notes database |
+| **Exfiltration Prevented** | Yes - EDR blocked C2 connection before data loss |
+| **False Positives** | 1 (developer IDE accessing recent files) |
+| **Coverage Improvement** | Hunt identified 30% EDR gap, now being addressed |
+
+### Key Success Factors
+
+1. **EDR Behavioral Detection:** Automated analysis identified collection pattern
+2. **Rapid Automated Response:** Host isolated in < 4 minutes
+3. **Query Refinement:** 3 iterations reduced FPs from 247 → 1
+4. **Signature Validation:** Focusing on unsigned binaries was key discriminator
+5. **Threat Intel Integration:** Hash lookup confirmed Atomic Stealer family
+
+### Automated Detection Deployed
+
+Final query converted to real-time detection rule:
+- **Schedule:** Every 15 minutes
+- **Alert Threshold:** 3+ sensitive files in < 5 minutes by unsigned process
+- **Auto-Response:** Create ticket, isolate host, notify SOC
+- **False Positive Rate:** < 1% (validated over 30 days)
+
+---
+
+**Hunt Completed:** 2025-11-19