Query Details

Suspicious Oahd Activity On Mac OS

Query

let SuspiciousOahdFileEvents = 
	DeviceFileEvents
	| where
		(FolderPath startswith "/var/db/oah/" and ActionType in ("FileCreated", "FileModified"))
		or (FileName =~ "oahd" and FolderPath !startswith "/usr/libexec")
		or (FileName =~ "com.apple.oahd.plist"
			and FolderPath !in ("/System/Library/LaunchDaemons/", "/Library/LaunchDaemons/"))
	| extend
		IsCacheWrite = FolderPath startswith "/var/db/oah/",
		IsFakeBinary = FileName =~ "oahd" and FolderPath !startswith "/usr/libexec",
		IsPlistHijack = FileName =~ "com.apple.oahd.plist"
			and FolderPath !in ("/System/Library/LaunchDaemons/", "/Library/LaunchDaemons/")
	| where isnotempty(InitiatingProcessSHA1)
	| invoke FileProfile(InitiatingProcessSHA1, 1000)
	| project
		TimeGenerated,
		DeviceName,
		ActionType,
		FileName,
		FolderPath,
		InitiatingProcessSHA1,
		InitiatingProcessFileName,
		InitiatingProcessFolderPath,
		InitiatingProcessCommandLine,
		InitiatingProcessAccountName,
		IsCacheWrite,
		IsFakeBinary,
		IsPlistHijack,
		GlobalPrevalence,
		GlobalFirstSeen,
		GlobalLastSeen,
		Signer,
		IsRootSignerMicrosoft,
		SignatureState,
		ThreatName;
let SuspiciousOahdProcessEvents =
	DeviceProcessEvents
	| where FileName =~ "oahd"
		or ProcessCommandLine has "com.apple.oahd"
	| extend
		IsLegitPath = FolderPath startswith "/usr/libexec/oahd"
			or FolderPath =~ "/usr/libexec/oahd",
		IsSuspiciousParent = InitiatingProcessFileName !in~ ("launchd", "xpcproxy"),
		HasSuspiciousArgs = ProcessCommandLine has_any (
			"/tmp/", "/Users/Shared/", "/var/tmp/", "../", "http://", "https://"),
		IsSuspiciousCachePath = ProcessCommandLine has "/var/db/oah/"
			and not(ProcessCommandLine has "/var/db/oah/com.apple")
	| where not(IsLegitPath)
		or IsSuspiciousParent
		or HasSuspiciousArgs
		or IsSuspiciousCachePath
	| project
		TimeGenerated,
		DeviceName,
		FileName,
		FolderPath,
		ProcessCommandLine,
		InitiatingProcessFileName,
		InitiatingProcessFolderPath,
		InitiatingProcessCommandLine,
		AccountName,
		IsLegitPath,
		IsSuspiciousParent,
		HasSuspiciousArgs,
		IsSuspiciousCachePath;
SuspiciousOahdFileEvents
| join kind=inner (
	SuspiciousOahdProcessEvents
	| project-rename ProcessTime = TimeGenerated
) on DeviceName
| where ProcessTime between (TimeGenerated .. (TimeGenerated + 15m))
| where GlobalPrevalence < 5000
| project
	FileEventTime = TimeGenerated,
	ProcessEventTime = ProcessTime,
	DeviceName,
	// File-Side
	ActionType,
	AffectedFile = strcat(FolderPath, FileName),
	IsCacheWrite,
	IsFakeBinary,
	IsPlistHijack,
	FileInitiator = InitiatingProcessFileName,
	FileInitiatorPath = InitiatingProcessFolderPath,
	FileInitiatorCmdLine = InitiatingProcessCommandLine,
	DroppingAccountName = InitiatingProcessAccountName,
	// FileProfile-Reputationsdaten
	InitiatingProcessSHA1,
	GlobalPrevalence,
	GlobalFirstSeen,
	GlobalLastSeen,
	Signer,
	IsRootSignerMicrosoft,
	SignatureState,
	ThreatName,
	// Process-Side
	SpawnedBinary = strcat(FolderPath1, FileName1),
	SpawnCmdLine = ProcessCommandLine,
	SpawnParent = InitiatingProcessFileName1,
	SpawnParentPath = InitiatingProcessFolderPath1,
	SpawnParentCmdLine = InitiatingProcessCommandLine1,
	SpawnAccountName = AccountName,
	// Flags
	IsLegitPath,
	IsSuspiciousParent,
	HasSuspiciousArgs,
	IsSuspiciousCachePath
| sort by FileEventTime desc

About this query

Explanation

This query is designed to detect suspicious activities related to the 'oahd' process on macOS, which might indicate malicious behavior or persistence mechanisms. Here's a simplified breakdown of what the query does:

  1. File Events Detection:

    • It looks for file creation or modification events in specific directories related to 'oahd'.
    • It checks if there are any 'oahd' files created outside their legitimate directory (/usr/libexec).
    • It identifies any manipulation of the 'com.apple.oahd.plist' file outside standard system paths.
  2. Process Events Detection:

    • It monitors the execution of the 'oahd' process to see if it runs from non-standard paths.
    • It checks if the 'oahd' process is initiated by suspicious parent processes (not 'launchd' or 'xpcproxy').
    • It looks for suspicious command-line arguments that might indicate malicious intent, such as references to temporary directories or URLs.
  3. Correlation:

    • The query correlates file events with process execution events to identify suspicious activities.
    • It ensures that the process execution happens shortly after the file event (within 15 minutes).
  4. Filtering:

    • It filters out common or globally prevalent files to reduce false positives.
    • It provides detailed information about the suspicious file and process activities, including file paths, command-line arguments, and account names involved.
  5. Output:

    • The results include timestamps, device names, file and process details, and flags indicating the nature of the suspicious activity (e.g., cache write, fake binary, plist hijack).

Overall, this query helps security analysts identify potentially malicious activities involving the 'oahd' process on macOS by examining file and process behaviors that deviate from the norm.

Details

Benjamin Zulliger profile picture

Benjamin Zulliger

Released: June 22, 2026

Tables

DeviceFileEventsDeviceProcessEvents

Keywords

DeviceFileEventsProcessNameFolderPathCommandLineInitiatingAccountGlobalPrevalenceFirstSeenLastSignerSignatureStateThreat

Operators

letwherestartswithin=~!startswith!inextendisnotemptyinvokeprojectorhashas_anynotjoinkind=innerproject-renamebetween..<strcatsort by

MITRE Techniques

Actions

GitHub