MacOS Installer Package Spawns Network Eventedit

Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.

Rule type: eql

Rule indices:


Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Domain: Endpoint
  • OS: macOS
  • Use Case: Threat Detection
  • Tactic: Execution
  • Tactic: Command and Control
  • Data Source: Elastic Defend

Version: 104

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

sequence by, with maxspan=30s
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and : ("installer", "package_script_service") and : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")]
[network where host.os.type == "macos" and event.type == "start" and : ("curl", "osascript", "wget", "python")]