macOS Installer Spawns Network Eventedit

Identifies when the built in macOS Installer program generates a network event after attempting to install a .pkg file. This activity has been observed being leveraged by malware.

Rule type: eql

Rule indices:


Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Execution

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positivesedit

Custom organization-specific macOS packages that use .pkg files to run cURL could trigger this rule. If known behavior is causing false positives, it can be excluded from the rule.

Rule queryedit

sequence by process.entity_id with maxspan=1m [ process where
event.type == "start" and == "macos" and
process.parent.executable in ("/usr/sbin/installer",
] [ network where not cidrmatch(destination.ip,
"", "", "",
"", "", "",
"::1", "FE80::/10", "FF00::/8") ]

Threat mappingedit