Name:Osquery pack - ColdRoot detection id:a6fffe5e-05c3-4c04-badc-887607fbb8dc version:3 date:2024-10-17 author:Rico Valdez, Splunk status:deprecated type:TTP Description:This search looks for ColdRoot events from the osx-attacks osquery pack. Data_source:
search:| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`
how_to_implement:In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model known_false_positives:There are no known false positives. References: drilldown_searches:
: tags: analytic_story: - 'ColdRoot MacOS RAT' asset_type:Endpoint confidence:50 impact:50 message:tbd observable: name:'host' type:'Hostname' - role: - 'Victim' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:threat
