[rule] description = """ This rule detects when the open command is used to launch the Launchpad application and the parent process is a scripting language or the parent process is not signed or does not have a code signature. Threat actors have been seen using the open command to launch the Launchpad application from a scripting language or from an unsigned or untrusted process to evade detection when attempting to implement a malicious launchpad application. """ id = "b64bf1de-5e36-4051-89d6-8b4492bcfdbd" license = "Elastic License v2" name = "Launchpad Hijack" os_list = ["macos"] reference = ["https://x.com/MsftSecIntel/status/1891410993265123662"] version = "1.0.2" query = ''' process where event.type == "start" and event.action == "exec" and process.name == "open" and process.args == "com.apple.launchpad.launcher" and (process.parent.name in ("osascript", "applet", "bash", "sh", "zsh") or (process.parent.code_signature.trusted == false or process.parent.code_signature.exists == false)) ''' min_endpoint_version = "8.11.0" optional_actions = [] [[actions]] action = "kill_process" field = "process.parent.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1574" name = "Hijack Execution Flow" reference = "https://attack.mitre.org/techniques/T1574/" [threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" [internal] min_endpoint_version = "8.11.0"