MacOceanLotusBackdoor | SOC Hunt Feed

Hunt Hypothesis

The MacOceanLotusBackdoor rule detects potential OceanLotus malware activity by identifying suspicious backdoor processes commonly associated with this advanced threat on macOS systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate persistent, stealthy malware that could exfiltrate data or establish long-term access within the network.

KQL Query

DeviceProcessEvents
| where Timestamp > ago(14d)
| where FileName in~ ("screenassistantd","spellagentd")
| top 100 by Timestamp

Analytic Rule Definition

id: 02b7dd9d-397a-4726-9761-1130b663f8cf
name: MacOceanLotusBackdoor
description: |
  Backdoor processes associated with OceanLotus Mac Malware Backdoor.
  References:.
  Https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/.
  OS platforms: Macintosh.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
query: |
  DeviceProcessEvents
  | where Timestamp > ago(14d)
  | where FileName in~ ("screenassistantd","spellagentd")
  | top 100 by Timestamp

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/MacOceanLotusBackdoor.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task, such as launchd job or cron job, is executing a script that matches the signature of the OceanLotus backdoor.
Filter/Exclusion: Check the com.apple.launchd or crontab logs to verify if the process is part of a known system maintenance task. Exclude processes with launchd or crontab as parent processes.
Scenario: Admin Tool Execution
Description: An administrator is using a legitimate tool like osascript or dscl to perform system configuration tasks that resemble malicious behavior.
Filter/Exclusion: Exclude processes initiated by user accounts with admin privileges and check the command line arguments for known administrative tools. Use process.parent or user fields to filter out legitimate admin activities.
Scenario: Software Update or Patching Job
Description: A scheduled job for updating software or applying patches (e.g., via softwareupdate or jamf) is triggering the detection due to similar command-line arguments.
Filter/Exclusion: Exclude processes that are part of known update mechanisms. Use process.name or command_line to filter out softwareupdate, jamf, or similar tools.
Scenario: Network Monitoring Tool
Description: A network monitoring or security tool (e.g., tcpdump, wireshark, or ngrep) is being used to capture traffic, which may trigger the rule due to similar process names or behaviors.
Filter/Exclusion: Exclude processes that are known network analysis tools. Use process.name to filter out tcpdump, wireshark, or ngrep.
Scenario: Custom Script for Log Analysis
Description: A custom script written by the security team