""ET INFO MacOS Process List in HTTP POST Request (/sbin/launchd) M1""

SID: 2048894

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2023_10_24, deployment Perimeter, performance_impact Low, confidence High, updated_at 2023_10_24, reviewed_at 2023_10_24

Reference:

  • md5

  • 90385d612877e9d360196770d73d22d6

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

  • Value: "POST"

  • Value: "PID|20|USER|20 20 20 20 20 20 20 20 20 20 20 20 20 20|PPID|20|COMM"

  • Value: "1|20|root|20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20|0|20|"

  • Value: "/sbin/launchd"

Within: 44

PCRE:

Special Options:

  • http_method

  • http_client_body

  • fast_pattern

  • http_client_body

  • http_client_body

source