Behavioral chain: (1) a user-facing app (browser/Office/email client) launches a URL or handles a link, then (2) the same process lineage makes an outbound connection to an untrusted domain/IP, (3) a file is downloaded or unpacked to a user-writable location shortly after the click. Optional enrichment: subsequent child execution by LOLBINs.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Network Traffic Content (DC0085) | NSM:Flow | Suspicious URL patterns, uncommon TLDs, short-lived domains, URL shorteners; HTTP method GET/POST |
| Field | Description |
|---|---|
| TimeWindow | Correlation window (e.g., 15m) between link click / first egress / file write. |
| BrowserParents | Processes considered link sources: chrome.exe, msedge.exe, firefox.exe, winword.exe, outlook.exe, teams.exe. |
| UserPaths | User-writable directories to monitor (%USERPROFILE%\Downloads, %TEMP%, %APPDATA%\*, OneDrive caches). |
| SuspiciousTLDs | High-risk TLD and domain list (e.g., .top .xyz .monster; newly observed domains/NOD). |
| AllowedCDNs | Corporate CDNs/update hosts to reduce false positives. |
Behavioral chain: (1) browser/office/GUI mail client opens a URL, (2) outbound connection to untrusted domain, (3) a new file is saved in $HOME/Downloads, /tmp, or cache immediately after.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | auditd:SYSCALL | execve: Execs of chromium, google-chrome, firefox, libreoffice with http(s) in cmdline |
| File Creation (DC0039) | auditd:SYSCALL | open,creat,rename: Writes in $HOME/Downloads, /tmp, ~/.cache with exe/script/archive/office extensions |
| Network Traffic Content (DC0085) | NSM:Flow | Suspicious URL patterns, uncommon TLDs, URL shorteners |
| Field | Description |
|---|---|
| TimeWindow | Typical 10–20m between click and write. |
| UserPaths | $HOME/Downloads, /tmp, ~/.cache, ~/.local/share. |
| HighRiskExtensions | exe, elf, sh, js, py, jar, iso, img, zip, rar, xlsm, docm, xll. |
| DomainRiskScore | Heuristic or TI score threshold for domains. |
Behavioral chain: (1) Safari/Chrome/Firefox/Office handles a URL; unified logs show open/click or LSQuarantine assignment, (2) outbound connection to untrusted domain, (3) a new file appears in ~/Downloads or /private/var/folders/* with quarantine flag.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Content (DC0085) | macos:unifiedlog | open URL|clicked link|LSQuarantineAttach |
| Network Connection Creation (DC0082) | NSM:Connections | New outbound connection from Safari/Chrome/Firefox/Word |
| File Creation (DC0039) | fs:fsevents | Create in /Users/*/Downloads or /private/var/folders/* with quarantine attribute |
| Field | Description |
|---|---|
| TimeWindow | 10–30m correlation. |
| QuarantinePolicy | Alert when com.apple.quarantine missing on newly downloaded executables. |
| SuspiciousTLDs | Org-specific risky domains/TLDs. |