sigma icon indicating copy to clipboard operation
sigma copied to clipboard
verified publisher icon SigmaHQ

macOS process create detections related to Bluenoroff macOS intrusion

Open stuartjash opened this issue 2 months ago • 0 comments

Summary of the Pull Request

Adds two rules related to the BlueNoroff Web3 Intrusion as noted by Huntress.

New rules:

  • proc_creation_macos_hidden_exec_shared.yml | New hidden process (prepended with a .) running from /Users/Shared/
  • proc_creation_macos_remoted_spawning_shell.yml | The binary remoted spawning a shell process.

Changelog

new: Hidden Executable In Shared new: Remoted Spawning Shell

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

stuartjash avatar Oct 17 '25 09:10 stuartjash