Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Potential WizardUpdate Malware Infection

Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Tim Rauch, Elastic SecurityCreated Mon Oct 17f68c4a4f-19ef-4817-952c-50dce331f4b0macos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_1:
        Image|endswith: '/sh'
        CommandLine|contains|all:
            - '=$(curl '
            - 'eval'
    selection_2:
        Image|endswith: '/curl'
        CommandLine|contains: '_intermediate_agent_'
    condition: 1 of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
github.com
2
Resolving title…
malpedia.caad.fkie.fraunhofer.de
3
Resolving title…
microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
f68c4a4f-19ef-4817-952c-50dce331f4b0
Status
test
Level
high
Type
Detection
Created
Mon Oct 17
Author
Tim Rauch, Elastic Security
Path
rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml
Raw Tags
attack.command-and-control
View on GitHub