Skip to content

Elastic Defend flags bincapz as multiple forms of macOS malware (false-positive) #78

Open
@tstromberg

Description

This is at runtime. For example, if you run "bincapz /bin/ls", Elastic Defend starts popping up notifications.

I believe this is due to Elastic Defend matching the YARA rules from https://github.com/YARAHQ/yara-forge - as it doesn't happen if you remove the "third_party/yara-rules-full.yar" file.

My interpretation is that Elastic Defend is us loading the rules that detect macOS malware as the underlying macOS malware itself.

{
  "_index": ".internal.alerts-security.alerts-default-000001",
  "_id": "e3ba01a47b8778e6b93776bef75bb5b7288b97be8c0613bf15bcd333a7d4e337",
  "_score": 1,
...
    "file.Ext.malware_classification.version": [
      "1.0.17000"
    ],
...
    "event.severity": [
      99
    ],
    "file.path.text": [
      "/private/var/folders/zj/9bf9j6r16wz87vnqkfsgl4sc0000gn/T/go-build2283998274/b001/exe/bincapz"
...
    "host.os.type": [
      "macos"
    ],
    "signal.original_event.code": [
      "malicious_file"
    ],
    "kibana.alert.original_event.module": [
      "endpoint"
    ],
...
    "kibana.alert.rule.version": [
      "102"
    ],
    "file.Ext.malware_classification.threshold": [
      0.58
    ],
    "kibana.alert.rule.actions.frequency.summary": [
      true
    ],
    "process.command_line.text": [
      "go run . --all testdata/setup.py"
    ],
    "file.Ext.malware_signature.primary.matches": [
      "L1VzZXJzL2x4ay9MaWJyYXJ5L0RldmVsb3Blci9YY29kZS9EZXJpdmVkRGF0YQ==",
      "RGVza3RvcC9TYWZhcmlGbGFzaEFjdGl2aXR5L1NhZmFyaUZsYXNoQWN0aXZpdHkvU2FmYXJpRmxhc2hBY3Rpdml0eS8=",
      "L0RlYnVnL1NhZmFyaUZsYXNoQWN0aXZpdHkuYnVpbGQvT2JqZWN0cy1ub3JtYWwveDg2XzY0L0FwcERlbGVnYXRlLm8="
    ],
    "file.hash.md5": [
      "4900acc66b8afdc7cac5103fafd7dd22"
    ],
    "file.Ext.malware_signature.secondary.matches": [
      "c2F2ZSBzYXZlQ2FwdHVyZUluZm8=",
      "c2F2ZXBob3RvIHN1Y2Nlc3Mgc2NyZWVuQ2FwdHVyZUluZm8=",
      "bm8gYXV0byBiYmJiYmFhZW5kOiVkIHBhdGggJXM=",
      "Li4vc2NyZWVuY2FwdHVyZS9zY3JlZW5fY2FwdHVyZV90aHJlYWQuY3Bw",
      "JXM6JWQsIG1fYXV0b1NjcmVlbkNhcHR1cmVRdWV1ZTogJXg=",
      "YXV0byBiYmJiYmFhZW5kOiVkIHBhdGggJXM=",
      "YXV0byBiYmJiYmFhZW5kOiVkIHBhdGggJXM=",
      "YXV0byBhYWFhYWFhYXN0YXJ0VGltZTolZCBwYXRoICVz",
      "Y29tLmNjYy5rZXlib2FyZHJlY29yZA==",
      "Y29tLmNjYy53cml0ZV9xdWV1ZQ==",
      "cHMgLXAgJXMgPiAvZGV2L251bGw=",
      "dXNlYWdlICVzIHBhdGggdXNlcmFnZW50cGlk",
      "a2V5Ym9hcmRSZWNvcmRlclN0YXJ0UEtj",
      "L0xpYnJhcnkvTGF1bmNoQWdlbnRzL2NvbS5Vc2VyQWdlbnQudmEucGxpc3Q=",
      "dGhpcyBpcyBub3Qgcm9vdA==",
      "cm0gLVJmIA==",
      "L3N0YXJ0LnNo",
      "L3N0YXJ0LnNo",
      "LmtpbGxjaGVja2VyXw==",
      "Y29tbWFuZCBsaW5lIGFyZ3VtZW50LiBTZWUgJ2V0aG1pbmVyIC1IIG1pc2MnIGZvciBkZXRhaWxzLg==",
      "RXRobWluZXIgLSBHUFUgZXRoYXNoIG1pbmVy",
      "U3RyYXR1bUNsaWVudA==",
      "bWluaW5nLnNldF90YXJnZXQ=",
      "WE1SSUdfSE9TVE5BTUU=",
      "VXNhZ2U6IHhtcmlnIFtPUFRJT05TXQ==",
      "WE1SSUdfVkVSU0lPTg==",
      "am5kaS5sZGFwLkxkYXBDdHguY19sb29rdXA=",
      "bG9nZ2luZy5sb2c0ai5jb3JlLmxvb2t1cC5KbmRpTG9va3VwLmxvb2t1cA==",
      "Y29tLnN1bi5qbmRpLnVybC5sZGFwLmxkYXBVUkxDb250ZXh0Lmxvb2t1cA==",
      "QmFzaWMvQ29tbWFuZC9CYXNlNjQv",
      "QmFzaWMvQ29tbWFuZC9CYXNlNjQv",
      "amF2YS5sYW5nLkNsYXNzQ2FzdEV4Y2VwdGlvbjogRXhwbG9pdA==",
      "V0VCLUlORi9jbGFzc2VzL0V4cGxvaXQ=",
      "RXhwbG9pdC5qYXZh",
      "W2R1bXAgfCBsaXN0IHwgYXNraGFzaCB8IGRlc2NyaWJlIHwgYXNrdGd0IHwgYXNrdGdzIHwgczR1IHwgcHR0IHwgcmVtb3ZlIHwgYXNrbGtkY2RvbWFpbl0=",
      "Wy1dIEVycm9yIGluIHBhcnNlS2lyYmk6ICVz",
      "Wy1dIEVycm9yIGluIHBhcnNlVEdTUkVQOiAlcw==",
      "Z2VuUGFzc3dvcmRIYXNoUGFzc3dvcmQ6TGVuZ3RoOkVuYzpVc2VybmFtZTpEb21haW46UHJldHR5Og==",
      "c3RvcmVMS0RDQ29uZkRhdGFGcmllbmRseU5hbWU6SG9zdG5hbWU6UGFzc3dvcmQ6Q0NhY2hlTmFtZTo=",
      "Ymlmcm9zdGNvbnNvbGUt",
      "LWtlcmJlcm9hc3Q=",
      "YXNrbGtkY2RvbWFpbg==",
      "YXNrbGtkY2RvbWFpbg==",
      "YXNraGFzaA==",
      "YXNraGFzaA==",
      "U3dpZnRCZWx0L1NvdXJjZXMvU3dpZnRCZWx0",
      "Wy1dIEZpcmVmb3ggcGxhY2VzLnNxbGl0ZSBkYXRhYmFzZSBub3QgZm91bmQgZm9yIHVzZXI=",
      "Wy1dIE5vIHNlY3VyaXR5IHByb2R1Y3RzIGZvdW5k",
      "U1NIL0FXUy9nY2xvdWQgQ3JlZGVudGlhbHMgU2VhcmNoOg==",
      "Wy1dIENvdWxkIG5vdCBvcGVuIHRoZSBTbGFjayBDb29raWVzIGRhdGFiYXNl",
      "WytdIE1hbHdhcmVieXRlcyBBL1YgZm91bmQgb24gdGhpcyBob3N0",
      "WytdIENpc2NvIEFNUCBmb3IgZW5kcG9pbnRzIGZvdW5k",
      "WytdIFNlbnRpbmVsT25lIGFnZW50IHJ1bm5pbmc=",
      "WytdIENyb3dkc3RyaWtlIEZhbGNvbiBhZ2VudCBmb3VuZA==",
      "WytdIEZpcmVFeWUgSFggYWdlbnQgaW5zdGFsbGVk",
      "WytdIExpdHRsZSBzbml0Y2ggZmlyZXdhbGwgZm91bmQ=",
      "WytdIEVTRVQgQS9WIGluc3RhbGxlZA==",
      "WytdIENhcmJvbiBCbGFjayBPU1ggU2Vuc29yIGluc3RhbGxlZA==",
      "L0xpYnJhcnkvTGl0dGxlIFNuaXRjaA==",
      "L0xpYnJhcnkvRmlyZUV5ZS94YWd0",
      "L0xpYnJhcnkvQ1MvZmFsY29uZA==",
      "L0xpYnJhcnkvTG9ncy9QYWxvQWx0b05ldHdvcmtzL0dsb2JhbFByb3RlY3Q=",
      "L0xpYnJhcnkvQXBwbGljYXRpb24gU3VwcG9ydC9NYWx3YXJlYnl0ZXM=",
      "L3Vzci9sb2NhbC9iaW4vb3NxdWVyeWk=",
      "L0xpYnJhcnkvU29waG9zIEFudGktVmlydXM=",
      "L0xpYnJhcnkvT2JqZWN0aXZlLVNlZS9MdWx1",
      "Y29tLmVzZXQucmVtb3RlYWRtaW5pc3RyYXRvci5hZ2VudA==",
      "L0FwcGxpY2F0aW9ucy9DYXJib25CbGFjay9DYk9zeFNlbnNvclNlcnZpY2U=",
      "L0FwcGxpY2F0aW9ucy9CbG9ja0Jsb2NrIEhlbHBlci5hcHA=",
      "L0FwcGxpY2F0aW9ucy9LZXh0Vmlld3IuYXBw",
      "U2NyZWVuc2hvdFRocmVhZA==",
      "S2V5bG9nVGhyZWFk",
      "R2V0Q2xpcGJvYXJkVGhyZWFk",
      "X3VwbG9hZFByb2dyZXNz",
      "a2lsbFRhc2s6",
      "X1R0QzlLZXlsb2dnZXI5S2V5bG9nZ2Vy",
      "X1R0QzlLZXlsb2dnZXIxN0NhbGxCYWNrRnVuY3Rpb25z",
      "XERFTEVURS1GT1JXQVJE",
      "XENBUFNMT0NL",
      "cmVzcF9maWxlX2Rpcg==",
      "cmVzcF9jZmdfc2V0",
      "cmVzcF9wcm9jX2tpbGw=",
      "L2NvbS5hcHBsZS5zYWZhcmkuY2s=",
      "L2Noa3VwZGF0ZS5YWFg=",
      "bWV0dGxlc3Bsb2l0ISA=",
      "X3dlYmNhbV9nZXRfZnJhbWU=",
      "X2dldF9wcm9jZXNzX2luZm8=",
      "cHJvY2Vzc19uZXc6IGdvdCAlemQgYnl0ZSBleGVjdXRhYmxlIHRvIHJ1biBpbiBtZW1vcnk=",
      "RHVtcGluZyBjZXJ0IGluZm86",
      "L1VzZXJzL3ZhZ3JhbnQvbWV0dGxlL21ldHRsZS9zcmMvcHJvY2Vzcy5j",
      "L1VzZXJzL3ZhZ3JhbnQvbWV0dGxlL21ldHRsZS9zcmMvYzJfaHR0cC5j",
      "L1VzZXJzL3ZhZ3JhbnQvbWV0dGxlL21ldHRsZS9zcmMvbWV0dGxlLmM=",
      "VXNlci1BZ2VudE1vemlsbGEvNC4wIChjb21wYXRpYmxlOyBNU0lFIDguMDsgV2luZG93cyBOVCA1LjE7IFRyaWRlbnQvNC4wKQ==",
      "L3Zhci9sb2cvaW5zdGFsbC5sb2c=",
      "JVktJW0tJWQgJUg6JU06JVM=",
      "aGVja19pZl90YXJnZXRlZA==",
      "Y2hlY2tfY29tbWFuZA==",
      "Y2hlY2tfY29tbWFuZA==",
      "Y2hlY2tfY29tbWFuZA==",
      "Y2hlY2tfY29tbWFuZA==",
      "YXNrcm9vdA==",
      "aXZfcmVzY3VlX2RhdGE=",
      "U2NyZWVuUmVjb3JkaW5nOiBOTw==",
      "QWNjZXNzaWJpbGl0eTogTk8=",
      "QWNjZXNzaWJpbGl0eTogTk8=",
      "QWNjZXNzaWJpbGl0eTogWUVT",
      "ZWNrMTNYUHJvdGVjdENoZWNr",
      "QWNjZXNzaWJpbGl0eTogTk8=",
      "QWNjZXNzaWJpbGl0eTogTk8=",
      "a01ESXRlbURpc3BsYXlOYW1lID0gKlRDQy5kYg==",
      "fVJFQ09WRVItJHtFWFRFTlNJT059LUZJTEVTLnR4dA==",
      "P2FjY2Vzcy1rZXk9JHtBQ0NFU1NfS0VZfQ==",
      "P2FjY2Vzcy1rZXk9JHtBQ0NFU1NfS0VZfQ==",
      "JHtOT1RFX0ZJTEVfTkFNRX0=",
      "ZW5hYmxlX25ldHdvcmtfZGlzY292ZXJ5",
      "ZW5hYmxlX3NldF93YWxscGFwZXI=",
      "ZW5hYmxlX2VzeGlfdm1fa2lsbA==",
      "c3RyaWN0X2luY2x1ZGVfcGF0aHM=",
      "ZXhjbHVkZV9maWxlX3BhdGhfd2lsZGNhcmQ=",
      "JHtBQ0NFU1NfS0VZfSR7RVhURU5TSU9OfQ==",
      "ZXN4Y2xpIHZtIHByb2Nlc3Mga2lsbCAtLXR5cGU9Zm9yY2UgLS13b3JsZC1pZD1LaWxsaW5n",
      "dmltLWNtZCB2bXN2Yy9zbmFwc2hvdC5yZW1vdmVhbGwgJGk=",
      "RmlsZSBhbHJlYWR5IGhhcyBlbmNyeXB0ZWQgZXh0ZW5zaW9u",
      "VWgsIG9oLCBleGl0KCkgZmFpbGVk",
      "YWdlbnRfcmVjdg==",
      "bmVlZHJvb3Q=",
      "bmVlZHJvb3Q=",
      "dGltZSBpcyBydW5uaW5nIGJhY2t3YXJkcywgY29ycmVjdGVk",
      "anVuayBwb2ludGVyLCB0b28gbG93IHRvIG1ha2Ugc2Vuc2U=",
      "dGFza19pZA==",
      "dGFza19pZA==",
      "dGFza19pZA==",
      "cG9zdF9yZXNwb25zZQ==",
      "YzJfcHJvZmlsZQ==",
      "Z2V0X3Rhc2tpbmc=",
      "dGFza2luZ19zaXpl",
      "Z2V0X2RlbGVnYXRlX3Rhc2tz",
      "dG90YWxfY2h1bmtz",
      "aXNfc2NyZWVuc2hvdA==",
      "ZmlsZV9icm93c2Vy",
      "aXNfZmlsZQ==",
      "aXNfZmlsZQ==",
      "aXNfZmlsZQ==",
      "YWNjZXNzX3RpbWU=",
      "KS5SZXF1ZXN0UmVzZW5k",
      "KS5HZXRQcml2SW5mbw==",
      "KS5HZXRSZWNvbm5lY3RJbnRlcnZhbFNlY29uZHM=",
      "KS5HZXRQaXZvdElE",
      "bmFtZT1Qcml2SW5mbw==",
      "bmFtZT1SZWNvbm5lY3RJbnRlcnZhbFNlY29uZHM=",
      "bmFtZT1QaXZvdElE",
      "Qi9aLWdpdGh1Yi5jb20vYmlzaG9wZm94L3NsaXZlci9wcm90b2J1Zi9zbGl2ZXJwYmI=",
      "SW52b2tlU3Bhd25EbGxSZXE=",
      "SW52b2tlU3Bhd25EbGxSZXE=",
      "TmV0c3RhdFJlcQ==",
      "SFRUUFNlc3Npb25Jbml0",
      "U2NyZWVuc2hvdFJlcQ==",
      "UmVnaXN0cnlSZWFkUmVx"
    ],
...
    "file.Ext.malware_classification.identifier": [
      "endpointmacho-v1-model"
    ],
...
    "file.Ext.malware_signature.all_names": [
      "MacOS.Backdoor.Fakeflashlxk-MacOS.Backdoor.Kagent-MacOS.Backdoor.Keyboardrecord-MacOS.Backdoor.Useragent-MacOS.Cryptominer.Generic-MacOS.Cryptominer.Xmrig-MacOS.Exploit.Log4j-MacOS.Hacktool.Bifrost-MacOS.Hacktool.Swiftbelt-MacOS.Trojan.Eggshell-MacOS.Trojan.Electrorat-MacOS.Trojan.KandyKorn-MacOS.Trojan.Metasploit-MacOS.Trojan.RustBucket-MacOS.Trojan.Thiefquest-Macos.Hacktool.JokerSpy-Multi.Ransomware.BlackCat-Multi.Trojan.Coreimpact-Multi.Trojan.Mythic-Multi.Trojan.Sliver"
    ],
...
    "file.Ext.malware_signature.identifier": [
      "production-malware-signature-v1-macos"
    ],
...
    "kibana.alert.original_event.code": [
      "malicious_file"
    ],
...
    "signal.rule.tags": [
      "Data Source: Elastic Defend"
    ],
    "rule.name": [
      "MacOS.Backdoor.Fakeflashlxk"
    ],
...
    "message": [
      "Malware Detection Alert"
    ],
...
      0.00105149915907532
    ],
    "kibana.alert.rule.exceptions_list.namespace_type": [
      "agnostic"
    ],
...
    "file.Ext.malware_signature.secondary.signature.name": [
      "MacOS.Backdoor.Kagent",
      "MacOS.Backdoor.Keyboardrecord",
      "MacOS.Backdoor.Useragent",
      "MacOS.Cryptominer.Generic",
      "MacOS.Cryptominer.Xmrig",
      "MacOS.Exploit.Log4j",
      "MacOS.Hacktool.Bifrost",
      "MacOS.Hacktool.Swiftbelt",
      "MacOS.Trojan.Eggshell",
      "MacOS.Trojan.Electrorat",
      "MacOS.Trojan.KandyKorn",
      "MacOS.Trojan.Metasploit",
      "MacOS.Trojan.Metasploit",
      "MacOS.Trojan.Metasploit",
      "MacOS.Trojan.RustBucket",
      "MacOS.Trojan.Thiefquest",
      "Macos.Hacktool.JokerSpy",
      "Multi.Ransomware.BlackCat",
      "Multi.Ransomware.BlackCat",
      "Multi.Trojan.Coreimpact",
      "Multi.Trojan.Mythic",
      "Multi.Trojan.Sliver",
      "Multi.Trojan.Sliver"
    ],
...
    "file.Ext.malware_signature.primary.signature.name": [
      "MacOS.Backdoor.Fakeflashlxk"
    ],

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions