Elastic Defend flags bincapz as multiple forms of macOS malware (false-positive) #78
Open
Description
opened on Mar 29, 2024
This is at runtime. For example, if you run "bincapz /bin/ls", Elastic Defend starts popping up notifications.
I believe this is due to Elastic Defend matching the YARA rules from https://github.com/YARAHQ/yara-forge - as it doesn't happen if you remove the "third_party/yara-rules-full.yar" file.
My interpretation is that Elastic Defend is us loading the rules that detect macOS malware as the underlying macOS malware itself.
{
"_index": ".internal.alerts-security.alerts-default-000001",
"_id": "e3ba01a47b8778e6b93776bef75bb5b7288b97be8c0613bf15bcd333a7d4e337",
"_score": 1,
...
"file.Ext.malware_classification.version": [
"1.0.17000"
],
...
"event.severity": [
99
],
"file.path.text": [
"/private/var/folders/zj/9bf9j6r16wz87vnqkfsgl4sc0000gn/T/go-build2283998274/b001/exe/bincapz"
...
"host.os.type": [
"macos"
],
"signal.original_event.code": [
"malicious_file"
],
"kibana.alert.original_event.module": [
"endpoint"
],
...
"kibana.alert.rule.version": [
"102"
],
"file.Ext.malware_classification.threshold": [
0.58
],
"kibana.alert.rule.actions.frequency.summary": [
true
],
"process.command_line.text": [
"go run . --all testdata/setup.py"
],
"file.Ext.malware_signature.primary.matches": [
"L1VzZXJzL2x4ay9MaWJyYXJ5L0RldmVsb3Blci9YY29kZS9EZXJpdmVkRGF0YQ==",
"RGVza3RvcC9TYWZhcmlGbGFzaEFjdGl2aXR5L1NhZmFyaUZsYXNoQWN0aXZpdHkvU2FmYXJpRmxhc2hBY3Rpdml0eS8=",
"L0RlYnVnL1NhZmFyaUZsYXNoQWN0aXZpdHkuYnVpbGQvT2JqZWN0cy1ub3JtYWwveDg2XzY0L0FwcERlbGVnYXRlLm8="
],
"file.hash.md5": [
"4900acc66b8afdc7cac5103fafd7dd22"
],
"file.Ext.malware_signature.secondary.matches": [
"c2F2ZSBzYXZlQ2FwdHVyZUluZm8=",
"c2F2ZXBob3RvIHN1Y2Nlc3Mgc2NyZWVuQ2FwdHVyZUluZm8=",
"bm8gYXV0byBiYmJiYmFhZW5kOiVkIHBhdGggJXM=",
"Li4vc2NyZWVuY2FwdHVyZS9zY3JlZW5fY2FwdHVyZV90aHJlYWQuY3Bw",
"JXM6JWQsIG1fYXV0b1NjcmVlbkNhcHR1cmVRdWV1ZTogJXg=",
"YXV0byBiYmJiYmFhZW5kOiVkIHBhdGggJXM=",
"YXV0byBiYmJiYmFhZW5kOiVkIHBhdGggJXM=",
"YXV0byBhYWFhYWFhYXN0YXJ0VGltZTolZCBwYXRoICVz",
"Y29tLmNjYy5rZXlib2FyZHJlY29yZA==",
"Y29tLmNjYy53cml0ZV9xdWV1ZQ==",
"cHMgLXAgJXMgPiAvZGV2L251bGw=",
"dXNlYWdlICVzIHBhdGggdXNlcmFnZW50cGlk",
"a2V5Ym9hcmRSZWNvcmRlclN0YXJ0UEtj",
"L0xpYnJhcnkvTGF1bmNoQWdlbnRzL2NvbS5Vc2VyQWdlbnQudmEucGxpc3Q=",
"dGhpcyBpcyBub3Qgcm9vdA==",
"cm0gLVJmIA==",
"L3N0YXJ0LnNo",
"L3N0YXJ0LnNo",
"LmtpbGxjaGVja2VyXw==",
"Y29tbWFuZCBsaW5lIGFyZ3VtZW50LiBTZWUgJ2V0aG1pbmVyIC1IIG1pc2MnIGZvciBkZXRhaWxzLg==",
"RXRobWluZXIgLSBHUFUgZXRoYXNoIG1pbmVy",
"U3RyYXR1bUNsaWVudA==",
"bWluaW5nLnNldF90YXJnZXQ=",
"WE1SSUdfSE9TVE5BTUU=",
"VXNhZ2U6IHhtcmlnIFtPUFRJT05TXQ==",
"WE1SSUdfVkVSU0lPTg==",
"am5kaS5sZGFwLkxkYXBDdHguY19sb29rdXA=",
"bG9nZ2luZy5sb2c0ai5jb3JlLmxvb2t1cC5KbmRpTG9va3VwLmxvb2t1cA==",
"Y29tLnN1bi5qbmRpLnVybC5sZGFwLmxkYXBVUkxDb250ZXh0Lmxvb2t1cA==",
"QmFzaWMvQ29tbWFuZC9CYXNlNjQv",
"QmFzaWMvQ29tbWFuZC9CYXNlNjQv",
"amF2YS5sYW5nLkNsYXNzQ2FzdEV4Y2VwdGlvbjogRXhwbG9pdA==",
"V0VCLUlORi9jbGFzc2VzL0V4cGxvaXQ=",
"RXhwbG9pdC5qYXZh",
"W2R1bXAgfCBsaXN0IHwgYXNraGFzaCB8IGRlc2NyaWJlIHwgYXNrdGd0IHwgYXNrdGdzIHwgczR1IHwgcHR0IHwgcmVtb3ZlIHwgYXNrbGtkY2RvbWFpbl0=",
"Wy1dIEVycm9yIGluIHBhcnNlS2lyYmk6ICVz",
"Wy1dIEVycm9yIGluIHBhcnNlVEdTUkVQOiAlcw==",
"Z2VuUGFzc3dvcmRIYXNoUGFzc3dvcmQ6TGVuZ3RoOkVuYzpVc2VybmFtZTpEb21haW46UHJldHR5Og==",
"c3RvcmVMS0RDQ29uZkRhdGFGcmllbmRseU5hbWU6SG9zdG5hbWU6UGFzc3dvcmQ6Q0NhY2hlTmFtZTo=",
"Ymlmcm9zdGNvbnNvbGUt",
"LWtlcmJlcm9hc3Q=",
"YXNrbGtkY2RvbWFpbg==",
"YXNrbGtkY2RvbWFpbg==",
"YXNraGFzaA==",
"YXNraGFzaA==",
"U3dpZnRCZWx0L1NvdXJjZXMvU3dpZnRCZWx0",
"Wy1dIEZpcmVmb3ggcGxhY2VzLnNxbGl0ZSBkYXRhYmFzZSBub3QgZm91bmQgZm9yIHVzZXI=",
"Wy1dIE5vIHNlY3VyaXR5IHByb2R1Y3RzIGZvdW5k",
"U1NIL0FXUy9nY2xvdWQgQ3JlZGVudGlhbHMgU2VhcmNoOg==",
"Wy1dIENvdWxkIG5vdCBvcGVuIHRoZSBTbGFjayBDb29raWVzIGRhdGFiYXNl",
"WytdIE1hbHdhcmVieXRlcyBBL1YgZm91bmQgb24gdGhpcyBob3N0",
"WytdIENpc2NvIEFNUCBmb3IgZW5kcG9pbnRzIGZvdW5k",
"WytdIFNlbnRpbmVsT25lIGFnZW50IHJ1bm5pbmc=",
"WytdIENyb3dkc3RyaWtlIEZhbGNvbiBhZ2VudCBmb3VuZA==",
"WytdIEZpcmVFeWUgSFggYWdlbnQgaW5zdGFsbGVk",
"WytdIExpdHRsZSBzbml0Y2ggZmlyZXdhbGwgZm91bmQ=",
"WytdIEVTRVQgQS9WIGluc3RhbGxlZA==",
"WytdIENhcmJvbiBCbGFjayBPU1ggU2Vuc29yIGluc3RhbGxlZA==",
"L0xpYnJhcnkvTGl0dGxlIFNuaXRjaA==",
"L0xpYnJhcnkvRmlyZUV5ZS94YWd0",
"L0xpYnJhcnkvQ1MvZmFsY29uZA==",
"L0xpYnJhcnkvTG9ncy9QYWxvQWx0b05ldHdvcmtzL0dsb2JhbFByb3RlY3Q=",
"L0xpYnJhcnkvQXBwbGljYXRpb24gU3VwcG9ydC9NYWx3YXJlYnl0ZXM=",
"L3Vzci9sb2NhbC9iaW4vb3NxdWVyeWk=",
"L0xpYnJhcnkvU29waG9zIEFudGktVmlydXM=",
"L0xpYnJhcnkvT2JqZWN0aXZlLVNlZS9MdWx1",
"Y29tLmVzZXQucmVtb3RlYWRtaW5pc3RyYXRvci5hZ2VudA==",
"L0FwcGxpY2F0aW9ucy9DYXJib25CbGFjay9DYk9zeFNlbnNvclNlcnZpY2U=",
"L0FwcGxpY2F0aW9ucy9CbG9ja0Jsb2NrIEhlbHBlci5hcHA=",
"L0FwcGxpY2F0aW9ucy9LZXh0Vmlld3IuYXBw",
"U2NyZWVuc2hvdFRocmVhZA==",
"S2V5bG9nVGhyZWFk",
"R2V0Q2xpcGJvYXJkVGhyZWFk",
"X3VwbG9hZFByb2dyZXNz",
"a2lsbFRhc2s6",
"X1R0QzlLZXlsb2dnZXI5S2V5bG9nZ2Vy",
"X1R0QzlLZXlsb2dnZXIxN0NhbGxCYWNrRnVuY3Rpb25z",
"XERFTEVURS1GT1JXQVJE",
"XENBUFNMT0NL",
"cmVzcF9maWxlX2Rpcg==",
"cmVzcF9jZmdfc2V0",
"cmVzcF9wcm9jX2tpbGw=",
"L2NvbS5hcHBsZS5zYWZhcmkuY2s=",
"L2Noa3VwZGF0ZS5YWFg=",
"bWV0dGxlc3Bsb2l0ISA=",
"X3dlYmNhbV9nZXRfZnJhbWU=",
"X2dldF9wcm9jZXNzX2luZm8=",
"cHJvY2Vzc19uZXc6IGdvdCAlemQgYnl0ZSBleGVjdXRhYmxlIHRvIHJ1biBpbiBtZW1vcnk=",
"RHVtcGluZyBjZXJ0IGluZm86",
"L1VzZXJzL3ZhZ3JhbnQvbWV0dGxlL21ldHRsZS9zcmMvcHJvY2Vzcy5j",
"L1VzZXJzL3ZhZ3JhbnQvbWV0dGxlL21ldHRsZS9zcmMvYzJfaHR0cC5j",
"L1VzZXJzL3ZhZ3JhbnQvbWV0dGxlL21ldHRsZS9zcmMvbWV0dGxlLmM=",
"VXNlci1BZ2VudE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDguMDsgV2luZG93cyBOVCA1LjE7IFRyaWRlbnQvNC4wKQ==",
"L3Zhci9sb2cvaW5zdGFsbC5sb2c=",
"JVktJW0tJWQgJUg6JU06JVM=",
"aGVja19pZl90YXJnZXRlZA==",
"Y2hlY2tfY29tbWFuZA==",
"Y2hlY2tfY29tbWFuZA==",
"Y2hlY2tfY29tbWFuZA==",
"Y2hlY2tfY29tbWFuZA==",
"YXNrcm9vdA==",
"aXZfcmVzY3VlX2RhdGE=",
"U2NyZWVuUmVjb3JkaW5nOiBOTw==",
"QWNjZXNzaWJpbGl0eTogTk8=",
"QWNjZXNzaWJpbGl0eTogTk8=",
"QWNjZXNzaWJpbGl0eTogWUVT",
"ZWNrMTNYUHJvdGVjdENoZWNr",
"QWNjZXNzaWJpbGl0eTogTk8=",
"QWNjZXNzaWJpbGl0eTogTk8=",
"a01ESXRlbURpc3BsYXlOYW1lID0gKlRDQy5kYg==",
"fVJFQ09WRVItJHtFWFRFTlNJT059LUZJTEVTLnR4dA==",
"P2FjY2Vzcy1rZXk9JHtBQ0NFU1NfS0VZfQ==",
"P2FjY2Vzcy1rZXk9JHtBQ0NFU1NfS0VZfQ==",
"JHtOT1RFX0ZJTEVfTkFNRX0=",
"ZW5hYmxlX25ldHdvcmtfZGlzY292ZXJ5",
"ZW5hYmxlX3NldF93YWxscGFwZXI=",
"ZW5hYmxlX2VzeGlfdm1fa2lsbA==",
"c3RyaWN0X2luY2x1ZGVfcGF0aHM=",
"ZXhjbHVkZV9maWxlX3BhdGhfd2lsZGNhcmQ=",
"JHtBQ0NFU1NfS0VZfSR7RVhURU5TSU9OfQ==",
"ZXN4Y2xpIHZtIHByb2Nlc3Mga2lsbCAtLXR5cGU9Zm9yY2UgLS13b3JsZC1pZD1LaWxsaW5n",
"dmltLWNtZCB2bXN2Yy9zbmFwc2hvdC5yZW1vdmVhbGwgJGk=",
"RmlsZSBhbHJlYWR5IGhhcyBlbmNyeXB0ZWQgZXh0ZW5zaW9u",
"VWgsIG9oLCBleGl0KCkgZmFpbGVk",
"YWdlbnRfcmVjdg==",
"bmVlZHJvb3Q=",
"bmVlZHJvb3Q=",
"dGltZSBpcyBydW5uaW5nIGJhY2t3YXJkcywgY29ycmVjdGVk",
"anVuayBwb2ludGVyLCB0b28gbG93IHRvIG1ha2Ugc2Vuc2U=",
"dGFza19pZA==",
"dGFza19pZA==",
"dGFza19pZA==",
"cG9zdF9yZXNwb25zZQ==",
"YzJfcHJvZmlsZQ==",
"Z2V0X3Rhc2tpbmc=",
"dGFza2luZ19zaXpl",
"Z2V0X2RlbGVnYXRlX3Rhc2tz",
"dG90YWxfY2h1bmtz",
"aXNfc2NyZWVuc2hvdA==",
"ZmlsZV9icm93c2Vy",
"aXNfZmlsZQ==",
"aXNfZmlsZQ==",
"aXNfZmlsZQ==",
"YWNjZXNzX3RpbWU=",
"KS5SZXF1ZXN0UmVzZW5k",
"KS5HZXRQcml2SW5mbw==",
"KS5HZXRSZWNvbm5lY3RJbnRlcnZhbFNlY29uZHM=",
"KS5HZXRQaXZvdElE",
"bmFtZT1Qcml2SW5mbw==",
"bmFtZT1SZWNvbm5lY3RJbnRlcnZhbFNlY29uZHM=",
"bmFtZT1QaXZvdElE",
"Qi9aLWdpdGh1Yi5jb20vYmlzaG9wZm94L3NsaXZlci9wcm90b2J1Zi9zbGl2ZXJwYmI=",
"SW52b2tlU3Bhd25EbGxSZXE=",
"SW52b2tlU3Bhd25EbGxSZXE=",
"TmV0c3RhdFJlcQ==",
"SFRUUFNlc3Npb25Jbml0",
"U2NyZWVuc2hvdFJlcQ==",
"UmVnaXN0cnlSZWFkUmVx"
],
...
"file.Ext.malware_classification.identifier": [
"endpointmacho-v1-model"
],
...
"file.Ext.malware_signature.all_names": [
"MacOS.Backdoor.Fakeflashlxk-MacOS.Backdoor.Kagent-MacOS.Backdoor.Keyboardrecord-MacOS.Backdoor.Useragent-MacOS.Cryptominer.Generic-MacOS.Cryptominer.Xmrig-MacOS.Exploit.Log4j-MacOS.Hacktool.Bifrost-MacOS.Hacktool.Swiftbelt-MacOS.Trojan.Eggshell-MacOS.Trojan.Electrorat-MacOS.Trojan.KandyKorn-MacOS.Trojan.Metasploit-MacOS.Trojan.RustBucket-MacOS.Trojan.Thiefquest-Macos.Hacktool.JokerSpy-Multi.Ransomware.BlackCat-Multi.Trojan.Coreimpact-Multi.Trojan.Mythic-Multi.Trojan.Sliver"
],
...
"file.Ext.malware_signature.identifier": [
"production-malware-signature-v1-macos"
],
...
"kibana.alert.original_event.code": [
"malicious_file"
],
...
"signal.rule.tags": [
"Data Source: Elastic Defend"
],
"rule.name": [
"MacOS.Backdoor.Fakeflashlxk"
],
...
"message": [
"Malware Detection Alert"
],
...
0.00105149915907532
],
"kibana.alert.rule.exceptions_list.namespace_type": [
"agnostic"
],
...
"file.Ext.malware_signature.secondary.signature.name": [
"MacOS.Backdoor.Kagent",
"MacOS.Backdoor.Keyboardrecord",
"MacOS.Backdoor.Useragent",
"MacOS.Cryptominer.Generic",
"MacOS.Cryptominer.Xmrig",
"MacOS.Exploit.Log4j",
"MacOS.Hacktool.Bifrost",
"MacOS.Hacktool.Swiftbelt",
"MacOS.Trojan.Eggshell",
"MacOS.Trojan.Electrorat",
"MacOS.Trojan.KandyKorn",
"MacOS.Trojan.Metasploit",
"MacOS.Trojan.Metasploit",
"MacOS.Trojan.Metasploit",
"MacOS.Trojan.RustBucket",
"MacOS.Trojan.Thiefquest",
"Macos.Hacktool.JokerSpy",
"Multi.Ransomware.BlackCat",
"Multi.Ransomware.BlackCat",
"Multi.Trojan.Coreimpact",
"Multi.Trojan.Mythic",
"Multi.Trojan.Sliver",
"Multi.Trojan.Sliver"
],
...
"file.Ext.malware_signature.primary.signature.name": [
"MacOS.Backdoor.Fakeflashlxk"
],
Activity