Suspicious Oahd Activity On Mac OS
Query
let SuspiciousOahdFileEvents =
DeviceFileEvents
| where
(FolderPath startswith "/var/db/oah/" and ActionType in ("FileCreated", "FileModified"))
or (FileName =~ "oahd" and FolderPath !startswith "/usr/libexec")
or (FileName =~ "com.apple.oahd.plist"
and FolderPath !in ("/System/Library/LaunchDaemons/", "/Library/LaunchDaemons/"))
| extend
IsCacheWrite = FolderPath startswith "/var/db/oah/",
IsFakeBinary = FileName =~ "oahd" and FolderPath !startswith "/usr/libexec",
IsPlistHijack = FileName =~ "com.apple.oahd.plist"
and FolderPath !in ("/System/Library/LaunchDaemons/", "/Library/LaunchDaemons/")
| where isnotempty(InitiatingProcessSHA1)
| invoke FileProfile(InitiatingProcessSHA1, 1000)
| project
TimeGenerated,
DeviceName,
ActionType,
FileName,
FolderPath,
InitiatingProcessSHA1,
InitiatingProcessFileName,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
InitiatingProcessAccountName,
IsCacheWrite,
IsFakeBinary,
IsPlistHijack,
GlobalPrevalence,
GlobalFirstSeen,
GlobalLastSeen,
Signer,
IsRootSignerMicrosoft,
SignatureState,
ThreatName;
let SuspiciousOahdProcessEvents =
DeviceProcessEvents
| where FileName =~ "oahd"
or ProcessCommandLine has "com.apple.oahd"
| extend
IsLegitPath = FolderPath startswith "/usr/libexec/oahd"
or FolderPath =~ "/usr/libexec/oahd",
IsSuspiciousParent = InitiatingProcessFileName !in~ ("launchd", "xpcproxy"),
HasSuspiciousArgs = ProcessCommandLine has_any (
"/tmp/", "/Users/Shared/", "/var/tmp/", "../", "http://", "https://"),
IsSuspiciousCachePath = ProcessCommandLine has "/var/db/oah/"
and not(ProcessCommandLine has "/var/db/oah/com.apple")
| where not(IsLegitPath)
or IsSuspiciousParent
or HasSuspiciousArgs
or IsSuspiciousCachePath
| project
TimeGenerated,
DeviceName,
FileName,
FolderPath,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessFolderPath,
InitiatingProcessCommandLine,
AccountName,
IsLegitPath,
IsSuspiciousParent,
HasSuspiciousArgs,
IsSuspiciousCachePath;
SuspiciousOahdFileEvents
| join kind=inner (
SuspiciousOahdProcessEvents
| project-rename ProcessTime = TimeGenerated
) on DeviceName
| where ProcessTime between (TimeGenerated .. (TimeGenerated + 15m))
| where GlobalPrevalence < 5000
| project
FileEventTime = TimeGenerated,
ProcessEventTime = ProcessTime,
DeviceName,
// File-Side
ActionType,
AffectedFile = strcat(FolderPath, FileName),
IsCacheWrite,
IsFakeBinary,
IsPlistHijack,
FileInitiator = InitiatingProcessFileName,
FileInitiatorPath = InitiatingProcessFolderPath,
FileInitiatorCmdLine = InitiatingProcessCommandLine,
DroppingAccountName = InitiatingProcessAccountName,
// FileProfile-Reputationsdaten
InitiatingProcessSHA1,
GlobalPrevalence,
GlobalFirstSeen,
GlobalLastSeen,
Signer,
IsRootSignerMicrosoft,
SignatureState,
ThreatName,
// Process-Side
SpawnedBinary = strcat(FolderPath1, FileName1),
SpawnCmdLine = ProcessCommandLine,
SpawnParent = InitiatingProcessFileName1,
SpawnParentPath = InitiatingProcessFolderPath1,
SpawnParentCmdLine = InitiatingProcessCommandLine1,
SpawnAccountName = AccountName,
// Flags
IsLegitPath,
IsSuspiciousParent,
HasSuspiciousArgs,
IsSuspiciousCachePath
| sort by FileEventTime descAbout this query
Explanation
This query is designed to detect suspicious activities related to the 'oahd' process on macOS, which might indicate malicious behavior or persistence mechanisms. Here's a simplified breakdown of what the query does:
-
File Events Detection:
- It looks for file creation or modification events in specific directories related to 'oahd'.
- It checks if there are any 'oahd' files created outside their legitimate directory (
/usr/libexec). - It identifies any manipulation of the 'com.apple.oahd.plist' file outside standard system paths.
-
Process Events Detection:
- It monitors the execution of the 'oahd' process to see if it runs from non-standard paths.
- It checks if the 'oahd' process is initiated by suspicious parent processes (not 'launchd' or 'xpcproxy').
- It looks for suspicious command-line arguments that might indicate malicious intent, such as references to temporary directories or URLs.
-
Correlation:
- The query correlates file events with process execution events to identify suspicious activities.
- It ensures that the process execution happens shortly after the file event (within 15 minutes).
-
Filtering:
- It filters out common or globally prevalent files to reduce false positives.
- It provides detailed information about the suspicious file and process activities, including file paths, command-line arguments, and account names involved.
-
Output:
- The results include timestamps, device names, file and process details, and flags indicating the nature of the suspicious activity (e.g., cache write, fake binary, plist hijack).
Overall, this query helps security analysts identify potentially malicious activities involving the 'oahd' process on macOS by examining file and process behaviors that deviate from the norm.
Details

Benjamin Zulliger
Released: June 22, 2026
Tables
DeviceFileEventsDeviceProcessEvents
Keywords
DeviceFileEventsProcessNameFolderPathCommandLineInitiatingAccountGlobalPrevalenceFirstSeenLastSignerSignatureStateThreat
Operators
letwherestartswithin=~!startswith!inextendisnotemptyinvokeprojectorhashas_anynotjoinkind=innerproject-renamebetween..<strcatsort by