Rule Library
Sigma Rules
2 rules found for "Jason Phang Vern - Onn"
3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threathighexperimental
Atomic MacOS Stealer - Persistence Indicators
Detects creation of persistence artifacts placed by Atomic MacOS Stealer in macOS systems. Recent Atomic MacOS Stealer variants have been observed dropping these to maintain persistent access after compromise.
macOSFile Event
TA0003 · PersistenceTA0004 · Privilege EscalationTA0005 · Defense EvasionT1564.001 · Hidden Files and Directories+2
Jason Phang Vern - Onn+1Sat Nov 222025
Emerging Threathighexperimental
Atomic MacOS Stealer - FileGrabber Activity
Detects suspicious activity associated with Atomic MacOS Stealer (Amos) campaigns, including execution of FileGrabber and curl-based POST requests used for data exfiltration. The rule identifies either the execution of FileGrabber targeting /tmp or the use of curl to POST sensitive user data (including files such as /tmp/out.zip) to remote servers, which are key indicators of Amos infostealer activity.
macOSProcess Creation
TA0002 · ExecutionT1059.002 · AppleScriptdetection.emerging-threats
Jason Phang Vern - Onn+1Sat Nov 222025