Elastic Detection Rule Development: OSX/Dok to Rule

Austin Songer
2 min readJun 9, 2021


OS/Dok Malware Example Lets take a example. If was working and got notification through Cyware social threat feeds and read the following malware research:

  • OS/Dok [https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/]

After reading this research about this threat, I can automatically develop a couple (in “development”) rules for this specific threat [In the real world, I would sandbox the malware to trigger the rules for real], what I’m showing is just the process of the first go around of developing a rule based on malware research.

So this bundle name Truesteer.AppStore when it is ran, it copys itself to /User/Shared/ and execute again from that location

chmod +x /User/Shared/AppStore.app sleep 5 rm -fr “Users/%USER%/Downloads/Dokument.App” “/User/Shared/AppStore.app/Contents/MacOS/AppStore” Dokument

But to make the rule more general, you need to think about the possibly of a threat actors using this format, but changing certain things. Threat actors love to reuse old malware and modify it a little bit.

Rule query — chmod +x /User/Shared/AppStore.app process where event.type in (“start”, “process_started”) and process.name : “chmod” and process.args : “/User/Shared/*.app”

So the * in /User/Shared/*.app is now a wildcard, and this is incase a Threat Actor want reuse this setup, but change AppStore.app to something different.

Rule query — rm -fr “/Users/%USER%/Downloads/Dokument.App” process where event.type in (“start”, “process_started”) and process.name : rm and process.args : (“/Users//Downloads/.App” and “-fr”)

So the * in /Users//Downloads/.App is now a wildcard, and this is incase a Threat Actor want reuse this setup, but change Dokument.App to something different.

Now I will take the following queries above and build a sequence. I need to remember that one of the commands was sleep 5, with that said, I now know I need to make the sequence that last more than 5 seconds. So I make this one 30 seconds to be on the safe side.

Yara File

I will use the following Yara to help build the rules. rule osx_retefe_w0 { meta: author = “AlienVault Labs” type = “malware” description = “OSX/Dok” malpedia_reference = “https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe" malpedia_version = “20170602” malpedia_license = “CC BY-NC-SA 4.0” malpedia_sharing = “TLP:WHITE”

$c1 = "/usr/local/bin/brew"
$c2 = "/usr/local/bin/tor"
$c3 = "/usr/local/bin/socat"
$c4 = "killall Safari"
$c5 = "killall \"Google Chrome\""
$c6 = "killall firefox"
$c7 = "security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain %@"

all of them


Rule Building

NOTE: I have not tested these rules out in a sandbox environment. Sandboxing these would allow the process of improving these rules in regards of detecting the malware. Rule 1: OSX/Dok Pre-LaunchAgents not process.args — Anything following this command will help quiet down false positives.

Rule 2: OSX/Dok — LaunchAgents event.type != “deletion” — That the event type is anything other than deletion.

  • You can see the other event types on a website that I created that explains them here Event.Type | ELK [https://elk.wiki/en/ecs/event-type]

Rule 3 — OSX/Dok — Post-LaunchAgents

Conclusion: In the ideal scenario, these rules would trigger one after the other, which would verify the malware being present, but these set of rules would require extra testing.



Austin Songer

Trusted Veteran | Compassionate. Aspiring. Resourceful.