Skip to content

Ioc#59

Open
itonyr wants to merge 4 commits intomainfrom
ioc
Open

Ioc#59
itonyr wants to merge 4 commits intomainfrom
ioc

Conversation

@itonyr
Copy link

@itonyr itonyr commented Jan 28, 2026
edited
Loading

Proposed Change

Add a data source that will generate MacOS Unified Logging commands that demonstrate Indicators of Compromise. This includes:

  • IP's that are listed on the Abusedb
  • Behaviors that demonstrate the MITRE ATT&CK Technique with ID T1649 on MacOS. Specifically, it demonstrates the behavior outlined in detection strategy DET0349.
AN0992
Detect suspicious file creations and process executions triggered by browser activity (e.g., injected payloads written to %AppData% or Temp directories, then executed). 

Correlate network anomalies with subsequent local process creation or script execution. 

AN0993 
Detect curl/wget commands saving executable/script payloads to /tmp or /var/tmp followed by execution. Monitor packet captures or IDS/IPS alerts for injected responses or mismatched content types. 

AN0994 
Monitor unified logs for processes spawned from Safari or other browsers that immediately load scripts or executables. Detect file drops in ~/Library/Caches or ~/Downloads that execute shortly after being written

More IOC's to be added for UL.

Checklist
  • Changes are tested
  • CI has passed

@itonyr itonyr requested a review from a team as a code owner January 28, 2026 16:22
Dylan-M
Dylan-M requested changes Jan 28, 2026
View reviewed changes
docs/development.md
# Add your log files to data_library/my-dataset/
```

The `filegen` generator automatically discovers and reads files from data library directories. Use it with:
Copy link
Collaborator

@Dylan-M Dylan-M Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This statement isn't true. This generator just accepts any arbitrary path to a directory or file.

docs/development.md
./blitz --generator-type=filegen --generator-filegen-source=data_library/my-dataset --output-type=stdout
```

The generator reads files line-by-line and supports timestamp directives (e.g., `%Y-%m-%dT%H:%M:%SZ`) for dynamic timestamp generation.
Copy link
Collaborator

@Dylan-M Dylan-M Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't read them line by line (or shouldn't), it should randomly select from within the file on each generation.

Copy link
Author

@itonyr itonyr Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll correct both of these doc entries and ping you!

Copy link
Collaborator

@Dylan-M Dylan-M Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, you were correct. I don't know how that made it through. Stupid AI not following directions, and me not being clear enough with the goal of the change to the reviewers.

I've got a PR open to fix it though. #60

Dylan-M
Dylan-M reviewed Jan 28, 2026
View reviewed changes
data_library/ioc/ul.log
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.launchservices","category":"process","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"process_launch","message":"Shell spawned immediately after download","path":"/bin/bash","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.endpointsecurity","category":"execution","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"file_execute","message":"Executed downloaded script","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},
{"timestamp":"%Y-%m-%dT%H:%M:%S.%3NZ","host":"ceos-macboo","subsystem":"com.apple.XProtectFramework","category":"malware","process":"bash","pid":1451,"ppid":901,"user":"alice","event_type":"signature_match","message":"EICAR-Test-File detected","path":"/Users/alice/Downloads/eicar_test.sh","network":null,"result":"success"},

Copy link
Collaborator

@Dylan-M Dylan-M Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another thing I noticed is that sometimes you have extra newlines. I don't know how that will affect the generator. I designed it with the sample files all not having them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Dylan-M Dylan-M Dylan-M requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@itonyr @Dylan-M