Emerging Threathighexperimental

Atomic MacOS Stealer - FileGrabber Activity

Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Jason Phang Vern - Onn, Robbin Ooi Zhen Heng (Gen Digital)Created Sat Nov 22e710a880-1f18-4417-b6a0-b5afdf7e33da2025

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_curl_post:
        CommandLine|contains|all:
            - 'curl'
            - 'POST'
            - 'user:'
            - '-H '
            - 'BuildID'
            - 'file=@/tmp/out.zip'
            - 'cl: 0'
    selection_filegrabber_exec:
        CommandLine|contains|all:
            - 'FileGrabber'
            - '/tmp'
    condition: 1 of selection_*