Rule Library

Sigma Rules

2 rules found for "Jason Phang Vern - Onn"

3,707Total

3,116Detection

451Emerging

137Hunting

Filters

Type

Severity

Status

Product

Atomic MacOS Stealer - Persistence Indicators

Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.

macOSFile Event

TA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense EvasionT1564.001 · Hidden Files and Directories+2

Jason Phang Vern - Onn+1Sat Nov 222025

Emerging Threathighexperimental

Atomic MacOS Stealer - FileGrabber Activity

Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.

macOSProcess Creation

TA0002 · ExecutionT1059.002 · AppleScriptdetection.emerging-threats

Jason Phang Vern - Onn+1Sat Nov 222025