Cause→effect chain: (1) User-facing app (Office/PDF/archiver/browser) records an open/click or abnormal event, then (2) a downloaded file is created in a user-writable path and/or decompressed, (3) the parent user app spawns a living-off-the-land binary (e.g., powershell/cmd/mshta/rundll32/msiexec/wscript/expand/zip) or installer, and (4) immediate outbound HTTP(S)/DNS/SMB from the same lineage.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | WinEventLog:Application | EventCode=1000,1001 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| TimeWindow | Correlation window (e.g., 15 minutes) from document open to child/egress. |
| HighRiskParents | Apps that should rarely spawn OS utilities (winword.exe, excel.exe, powerpnt.exe, acrord32.exe, chrome/msedge/firefox, 7zFM.exe, winrar.exe, explorer.exe). |
| HighRiskChildren | LOLBIN list: powershell.exe, cmd.exe, wscript.exe, cscript.exe, mshta.exe, rundll32.exe, regsvr32.exe, msiexec.exe, curl.exe, bitsadmin.exe, pcalua.exe, expand.exe, tar.exe. |
| UserPaths | Writable paths to watch: %USERPROFILE%\Downloads, %TEMP%, %APPDATA%\*, OneDrive/Teams cache, Office startup folders. |
| EgressAllowList | Corporate update/CDN domains and proxy egress CIDRs to suppress benign updater traffic. |
Cause→effect chain: (1) User app/browser/archiver logs an open/click or abnormal exit, (2) new executable/script/archive extracted into $HOME/Downloads, /tmp, or ~/.cache, (3) parent app spawns shell/interpreter (bash/sh/python/node/curl/wget) or desktop file, and (4) new outbound connection(s) from the child lineage.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | linux:syslog | opened document|clicked link|segfault|abnormal termination|sandbox |
| File Access (DC0055) | auditd:SYSCALL | open |
| File Creation (DC0039) | auditd:SYSCALL | creat |
| File Modification (DC0061) | auditd:SYSCALL | rename,chmod |
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| Network Connection Creation (DC0082) | NSM:Flow | new outbound connection from browser/office lineage |
| Field | Description |
|---|---|
| TimeWindow | 5–20 minute correlation window. |
| UserPaths | $HOME/Downloads, /tmp, ~/.cache, ~/.config/autostart, ~/.local/share. |
| HighRiskChildren | bash, sh, zsh, python*, perl, node, curl, wget, xdg-open, kde-open, gio open, unzip/tar extraction leading to exec. |
| PkgUpdaters | Allow-list snap/flatpak/packagekit/apt workers to reduce false positives. |
Cause→effect chain: (1) unified logs show application open/click or crash for Safari/Chrome/Office/Preview/archiver, (2) file write/extraction into ~/Downloads, /private/var/folders/* or ~/Library, (3) parent app spawns osascript/bash/zsh/curl/python or opens a quarantined app with Gatekeeper prompts, (4) network egress from child.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | macos:unifiedlog | opened document|clicked link|EXC_BAD_ACCESS|abort|LSQuarantine |
| File Creation (DC0039) | fs:fileevents | create/write/rename in user-writable paths |
| Process Creation (DC0032) | macos:osquery | exec |
| Network Connection Creation (DC0082) | NSM:Flow | new outbound connection from exploited lineage |
| Field | Description |
|---|---|
| TimeWindow | 10–30 minute correlation window. |
| HighRiskChildren | osascript, bash, zsh, curl, python, open -a Terminal, installer, tccutil misuse. |
| QuarantineSignals | Flag new apps lacking com.apple.quarantine or with quarantine='0081' (downloaded then auto-opened). |
Cause→effect chain in CI/dev desktops: (1) user triggers container run/pull after opening a doc/link/script, (2) newly created image/container uses unexpected external registry or entrypoint, (3) container starts and immediately egresses to suspicious destinations.
| Data Component | Name | Channel |
|---|---|---|
| Container Creation (DC0072) | docker:events | created,started: new container from untrusted registry or unexpected entrypoint |
| Container Start (DC0077) | docker:events | start |
| Network Traffic Content (DC0085) | NSM:Flow | container egress to unknown IPs/domains |
| Field | Description |
|---|---|
| TrustedRegistries | Approved registries/namespaces. |
| AllowedEntrypoints | Expected CMD/ENTRYPOINT for known images. |
| TimeWindow | Correlate user action → docker/podman run within 10 minutes. |
Cause→effect chain in cloud consoles: (1) user clicks link then invokes instance/image creation via API, (2) instance/image originates from external AMI or unknown image, (3) instance immediately egresses or retrieves payloads.
| Data Component | Name | Channel |
|---|---|---|
| Instance Creation (DC0076) | AWS:CloudTrail | RunInstances,CreateImage |
| Instance Start (DC0080) | AWS:CloudTrail | StartInstances |
| Network Traffic Content (DC0085) | gcp:vpcflow | first 5m egress to unknown ASNs |
| Field | Description |
|---|---|
| ApprovedImages | AMI/image allow-list with owners. |
| UserContext | High-risk identities (federated, external IdP). |
| TimeWindow | 5–30 minutes from console/API action to network egress. |