avrgsec
Detection Engineering | Incident Response | SecOps | Strategy
Recent Detections
View all →Suspicious Network Connection from Shell Launch
Detects network connections initiated immediately after shell launch. When a terminal opens, the shell RC file (.zshrc) is executed. Attackers may abuse this to beacon to command and control servers, exfiltrate data and credentials (keychain files for example), or download additional payloads. This detection identifies suspicious network tools, launched directly from the shell.
Potential Credential Exfiltration via Shell Configuration
Detects processes spawned from shell initialisation that access sensitive credential files. Attackers use .zshrc to automatically search for and exfiltrate SSH keys, AWS credentials, API tokens, keychain databases, and other sensitive authentication materials when a terminal is opened. This detection identifies suspicious file access patterns combined with credential-related commands.
Suspicious Process Modifying .zshrc Configuration
Detects modification of the .zshrc shell configuration file by abnormal processes. Attackers commonly modify .zshrc to establish persistence, execute malicious code on terminal launch, or exfiltrate sensitive data. This detection focuses on modifications made by non-standard editors or processes executing from temporary directories.
Root Service Execution from Suspicious Path
Detects the system launchd process (PID 1) executing a child process from a suspicious, non-standard directory This indicates a LaunchDaemon has been compromised to run a malicious payload
Latest Posts
View all →Understanding and detecting macOS Persistence via Shell Configuration Files
The first in a series of blog posts discussing why it's important to think like an attacker.
Part 1 - Stepping into the shoes of the attacker - From blue to red and back again
The first in a series of blog posts discussing why it's important to think like an attacker.