Dylib Hijacking

DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".dylib"
| where FolderPath has_any ("/tmp/", "/var/folders/", "/Users/", "/Library/Application Support/")
| where ActionType in ("FileCreated", "FileModified")
| join kind=leftouter (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | project DeviceId, ProcessId, FileName, FolderPath, AccountName
) on DeviceId, $left.InitiatingProcessId == $right.ProcessId
| project Timestamp, DeviceName, AccountName,
         DylibName=FileName, DylibPath=FolderPath,
         CreatingProcess=FileName1,
         SHA256
| sort by Timestamp desc

index=osquery OR index=jamf OR index=mac_management sourcetype=osquery:file_events
| where path like "%.dylib"
| where path like "/tmp/%" OR path like "/var/folders/%" OR path like "/Users/%Library/%" OR path like "/private/tmp/%"
| eval SuspiciousPath=1
| table _time, host, path, action, sha256, pid, process_name
| sort - _time

```
ALTERNATIVE for Sysmon (macOS):
```
index=mac_os sourcetype="osquery:file_events" action=CREATED
| where match(path, "\.dylib$")
| where match(path, "(/tmp/|/var/folders/|/Users/.+/Library/)")
| eval RpathHijack=if(match(path, "@rpath"), 1, 0)
| table _time, host, path, sha256, process_name, pid
| sort - _time

file where host.os.type == "macos" and event.action in ("creation", "modification") and file.extension == "dylib" and (
  file.path like "/tmp/*" or
  file.path like "/var/folders/*" or
  file.path like "/Users/*/Library/*" or
  file.path like "/private/tmp/*" or
  file.path like "/Users/*/Library/Application Support/*"
)

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceip, "username", "filename", "filepath", CATEGORYNAME(category) AS event_category, LOGSOURCENAME(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPEID IN (73, 352)
  AND LOWER("filename") LIKE '%.dylib'
  AND (
    "filepath" LIKE '/tmp/%' OR
    "filepath" LIKE '/var/folders/%' OR
    "filepath" LIKE '/Users/%/Library/%' OR
    "filepath" LIKE '/private/tmp/%' OR
    "filepath" LIKE '/Users/%/Library/Application Support/%'
  )
  AND CATEGORYNAME(category) IN ('File Created', 'File Modified', 'File Written')
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY devicetime DESC

(index=osquery OR index=jamf OR _sourceCategory=mac/filevents OR _sourceCategory=mac/osquery)
| where sourcetype matches "osquery*" or sourcetype matches "jamf*"
| where path matches "%.dylib"
| where path matches "/tmp/%" or path matches "/var/folders/%" or path matches "/Users/%/Library/%" or path matches "/private/tmp/%" or path matches "/Users/%/Library/Application Support/%"
| eval suspicious_path = if(path matches "/tmp/%" or path matches "/private/tmp/%", "temp_path",
    if(path matches "/var/folders/%", "var_folders",
    if(path matches "/Users/%/Library/Application Support/%", "app_support", "user_library")))
| eval rpath_indicator = if(path matches "%@rpath%", 1, 0)
| fields _time, host, path, action, sha256, pid, process_name, suspicious_path, rpath_indicator
| sort by _time desc

rule macos_dylib_hijacking_suspicious_path {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects creation or modification of .dylib files in macOS paths commonly abused for dylib hijacking (T1574.004). Covers @rpath-adjacent directories including /tmp, /var/folders, and user Library paths where adversaries plant malicious dynamic libraries."
    mitre_attack_tactic = "Privilege Escalation, Persistence, Defense Evasion"
    mitre_attack_technique = "T1574.004"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "FILE_CREATION" or $e.metadata.event_type = "FILE_MODIFICATION"
    $e.principal.asset.platform_software.platform = "LINUX"
    re.regex($e.target.file.full_path, `\.dylib$`)
    (
      re.regex($e.target.file.full_path, `^/tmp/`) or
      re.regex($e.target.file.full_path, `^/private/tmp/`) or
      re.regex($e.target.file.full_path, `^/var/folders/`) or
      re.regex($e.target.file.full_path, `^/Users/[^/]+/Library/`) or
      re.regex($e.target.file.full_path, `^/Users/[^/]+/Library/Application Support/`)
    )

  condition:
    $e
}

#event_simpleName=FileOpenInfo OR #event_simpleName=PeFileWritten OR #event_simpleName=FileCreated
| TargetFileName = /\.dylib$/i
| TargetFilePath = /(\/tmp\/|\/private\/tmp\/|\/var\/folders\/|\/Users\/.+\/Library\/)/ case=insensitive
| eval SuspiciousPathType = case(
    TargetFilePath = /^\/tmp\// OR TargetFilePath = /^\/private\/tmp\//, "TempPath",
    TargetFilePath = /^\/var\/folders\//, "VarFolders",
    TargetFilePath = /^\/Users\/.+\/Library\/Application Support\//, "AppSupportPath",
    TargetFilePath = /^\/Users\/.+\/Library\//, "UserLibraryPath",
    true(), "Other"
  )
| groupBy([ComputerName, UserName, TargetFileName, TargetFilePath, SuspiciousPathType, ImageFileName], function=count(1, as=EventCount))
| sort(EventCount, order=desc)