splunk
diff --git a/‎contentctl.yml‎
Lines changed: 7 additions & 1 deletion b/‎contentctl.yml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎data_sources/osquery.yml‎ ‎data_sources/osquery_results.yml‎data_sources/osquery.yml renamed to data_sources/osquery_results.yml
Lines changed: 7 additions & 4 deletions b/‎data_sources/osquery.yml‎ ‎data_sources/osquery_results.yml‎data_sources/osquery.yml renamed to data_sources/osquery_results.yml
Lines changed: 7 additions & 4 deletions
diff --git a/‎detections/endpoint/macos_account_created.yml‎
Lines changed: 101 additions & 0 deletions b/‎detections/endpoint/macos_account_created.yml‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml‎
Lines changed: 17 additions & 7 deletions b/‎detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml‎
Lines changed: 17 additions & 7 deletions
diff --git a/‎detections/endpoint/macos_data_chunking.yml‎
Lines changed: 88 additions & 0 deletions b/‎detections/endpoint/macos_data_chunking.yml‎
Lines changed: 88 additions & 0 deletions
diff --git a/‎detections/endpoint/macos_gatekeeper_bypass.yml‎
Lines changed: 89 additions & 0 deletions b/‎detections/endpoint/macos_gatekeeper_bypass.yml‎
Lines changed: 89 additions & 0 deletions
@@ -92,7 +92,7 @@ apps:
   version: 1.3.0
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-iis_130.tgz
-- uid: 4242
+- uid: 6994
   title: CCX Add-on for Suricata
   appid: SPLUNK_TA_FOR_SURICATA
   version: 1.0.1
@@ -250,6 +250,12 @@ apps:
   version: 0.1.2
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/mcp-ta_012.tgz
+- uid: 8574
+  title: TA-osquery
+  appid: ta-osquery
+  version: 1.0.4
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-osquery_104.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
 test_data_caches:
 - base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
 
@@ -1,7 +1,7 @@
-name: osquery
+name: Osquery Results 
 id: 7ec4d7c8-c1d0-423a-9169-261f6adb74c0
-version: 2
-date: '2025-01-23'
+version: 3
+date: '2026-04-13'
 author: Patrick Bareiss, Splunk
 description: Logs system queries performed using osquery, including details about
   processes, file access, network activity, and system configurations.
@@ -13,7 +13,10 @@ mitre_components:
 - Application Log Content
 source: osquery
 sourcetype: osquery:results
-supported_TA: []
+supported_TA:
+- name: TA-osquery
+  url: https://splunkbase.splunk.com/app/8574
+  version: 1.0.4
 fields:
 - _time
 - calendarTime
 
@@ -0,0 +1,101 @@
+name: MacOS Account Created
+id: 491004ae-694f-453e-b1e0-fc1e65daeea1
+version: 1
+date: '2026-02-26'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: |-
+    The following analytic detects the creation of a new local user account on a MacOS system. It leverages osquery logs to identify this activity.
+    Monitoring the creation of local accounts is crucial for a SOC as it can indicate unauthorized access or lateral movement within the network.
+    If confirmed malicious, this activity could allow an attacker to establish persistence, escalate privileges, or gain unauthorized access to sensitive systems and data.
+data_source:
+    - Osquery Results
+search: |-
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+    from datamodel=Endpoint.Processes where
+
+    (
+        Processes.process = "*sysadminctl"
+        Processes.process = "*-addUser*"
+    )
+    OR
+    (
+        Processes.process = "*createhomedir*"
+        Processes.process = "*-u*"
+    )
+    OR
+    (
+        Processes.process = "*dseditgroup*"
+        Processes.process IN (
+            "*edit*",
+            "*-a*"
+            )
+    )
+    OR
+    (
+        Processes.process = "*dscl*"
+        Processes.process = "*-create*"
+    )
+
+    by Processes.dest Processes.original_file_name Processes.parent_process_id
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id
+       Processes.process_current_directory Processes.process_name
+       Processes.process_path Processes.user Processes.user_id
+       Processes.vendor_product
+
+    | `drop_dm_object_name(Processes)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `macos_account_created_filter`
+how_to_implement: |-
+    This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.
+    Also the [TA-OSquery](https://splunkbase.splunk.com/app/8574) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the data models.
+known_false_positives: |-
+    Creating new accounts after initial endpoint management should be rare in most environments. Investigate and tune as needed.
+references:
+    - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
+    - https://ss64.com/mac/sysadminctl.html
+    - https://ss64.com/mac/dseditgroup.html
+    - https://ss64.com/mac/dscl.html
+drilldown_searches:
+    - name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: New local account created on $dest$ by $user$ via $process$
+    risk_objects:
+        - field: user
+          type: user
+          score: 20
+        - field: dest
+          type: system
+          score: 20
+    threat_objects:
+        - field: process
+          type: process
+tags:
+    analytic_story:
+        - MacOS Persistence Techniques
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1136
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136/osquery_account_creation/osquery.log
+          source: osquery
+          sourcetype: osquery:results
@@ -1,32 +1,42 @@
 name: MacOS AMOS Stealer - Virtual Machine Check Activity
 id: 4e41ad21-9761-426d-8aa1-083712ff9f30
-version: 5
-date: '2026-03-10'
+version: 6
+date: '2026-04-13'
 author: Nasreddine Bencherchali, Splunk, Alex Karkins
 status: production
 type: Anomaly
 description: |
-    The following analytic detects AMOS Stealer VM check activity on macOS. It leverages osquery to monitor process events and identifies the execution of the "osascript" command along with specific commandline strings. This activity is significant
-    as AMOS stealer was seen using this pattern in order to check if the host is a Virtual Machine or not. If confirmed malicious, this behavior indicate that the host is already infected by the AMOS stealer, which could allow attackers to execute arbitrary code, escalate privileges, steal information, or persist within the environment, posing a significant security risk.
+    The following analytic detects AMOS Stealer VM check activity on macOS. It leverages osquery to monitor process events and identifies the execution of the "osascript" command along with specific commandline strings.
+    This activity is significant as AMOS stealer was seen using this pattern in order to check if the host is a Virtual Machine or not.
+    If confirmed malicious, this behavior indicate that the host is already infected by the AMOS stealer, which could allow attackers to execute arbitrary code, escalate privileges, steal information, or persist within the environment, posing a significant security risk.
 data_source:
-    - osquery
+    - Osquery Results
 search: |
-    `osquery_macro` name=es_process_events
-    columns.cmdline="*osascript*" AND columns.cmdline="* -e *" AND columns.cmdline="*set*" AND columns.cmdline="*system_profiler*" AND columns.cmdline IN ("*VMware*", "*QEMU*")
+    `osquery_macro`
+    name=es_process_events
+    columns.cmdline="*osascript*"
+    columns.cmdline="* -e *"
+    columns.cmdline="*set*"
+    columns.cmdline="*system_profiler*"
+    columns.cmdline IN ("*VMware*", "*QEMU*")
+
     | rename columns.* as *
+
     | stats  min(_time) as firstTime max(_time) as lastTime
       values(cmdline) as cmdline,
       values(pid) as pid,
       values(parent) as parent,
       values(path) as path,
       values(signing_id) as signing_id,
       by username host
+
     | rename
       username as user,
       cmdline as process,
       parent as parent_process,
       path as process_path,
       host as dest
+
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
     | `macos_amos_stealer___virtual_machine_check_activity_filter`
 
@@ -0,0 +1,88 @@
+name: MacOS Data Chunking
+id: 7f1c8bed-9bd4-40b0-a1df-c262cbade0fc
+version: 1
+date: '2026-02-26'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: |-
+    The following analytic detects suspicious data chunking activities that involve the use of split or dd, potentially indicating an attempt to evade detection by breaking large files into smaller parts.
+    Attackers may use this technique to bypass size-based security controls, facilitating the covert exfiltration of sensitive data.
+    By monitoring for unusual or unauthorized use of these commands, this analytic helps identify potential data exfiltration attempts, allowing security teams to intervene and prevent the unauthorized transfer of critical information from the network.
+data_source:
+    - Osquery Results
+search: |-
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+
+    from datamodel=Endpoint.Processes where
+
+    (
+        Processes.process = "dd *"
+         Processes.process = "* if=*"
+    )
+    OR
+    (
+        Processes.process = "*split *"
+        Processes.process="* -b *"
+    )
+
+    by Processes.dest Processes.original_file_name Processes.parent_process_id
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id
+       Processes.process_current_directory Processes.process_name
+       Processes.process_path Processes.user
+       Processes.user_id Processes.vendor_product
+
+    | `drop_dm_object_name(Processes)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `macos_data_chunking_filter`
+how_to_implement: |-
+    This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.
+    Also the [TA-OSquery](https://splunkbase.splunk.com/app/8574) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the data models.
+known_false_positives: |-
+    Administrator or network operator can use this application for automation purposes. Please update the filter macros to remove false positives.
+references:
+    - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
+    - https://ss64.com/mac/dd.html
+    - https://ss64.com/mac/split.html
+drilldown_searches:
+    - name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: A file was split on $dest$ by $user$ via $process$
+    risk_objects:
+        - field: user
+          type: user
+          score: 20
+        - field: dest
+          type: system
+          score: 20
+    threat_objects:
+        - field: process
+          type: process
+tags:
+    analytic_story:
+        - MacOS Post-Exploitation
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1030
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1030/osquery_data_chunking/osquery.log
+          source: osquery
+          sourcetype: osquery:results
@@ -0,0 +1,89 @@
+name: MacOS Gatekeeper Bypass
+id: 2c9346f3-bbeb-48ce-8411-fc13d09d83a5
+version: 1
+date: '2026-02-26'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: |-
+    Detects known MacOS security bypass techniques that may be used to enable malicious code execution.
+    Specifically monitors for attempts to remove the com.apple.quarantine attribute using xattr, or to disable Gatekeeper protections via spctl --master-disable, both of which can allow untrusted or malicious applications to execute without standard system safeguards.
+data_source:
+    - Osquery Results
+search: |-
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+
+    from datamodel=Endpoint.Processes where
+
+    (
+        Processes.process = "*xattr*"
+        Processes.process = "*com.apple.quarantine*"
+    )
+    OR
+    (
+        Processes.process = "*spctl*"
+        Processes.process = "*master-disable*"
+    )
+
+    by Processes.dest Processes.original_file_name Processes.parent_process_id
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id
+       Processes.process_current_directory Processes.process_name
+       Processes.process_path Processes.user
+       Processes.user_id Processes.vendor_product
+
+    | `drop_dm_object_name(Processes)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `macos_gatekeeper_bypass_filter`
+how_to_implement: |-
+    This detection uses osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.
+    Also the [TA-OSquery](https://splunkbase.splunk.com/app/8574) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the data models.
+known_false_positives: |-
+    Administrators or power users may need to disable Gatekeeper to install unsigned tools.
+references:
+    - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
+    - https://ss64.com/mac/xattr.html
+    - https://ss64.com/mac/spctl.html
+drilldown_searches:
+    - name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: Attempt to bypass gatekeeper protections on $dest$ by $user$ via $process$
+    risk_objects:
+        - field: user
+          type: user
+          score: 20
+        - field: dest
+          type: system
+          score: 20
+    threat_objects:
+        - field: process
+          type: process
+tags:
+    analytic_story:
+        - MacOS Privilege Escalation
+        - MacOS Post-Exploitation
+        - MacOS Persistence Techniques
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1553.001
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1553.001/osquery_gatekeeper/osquery.log
+          source: osquery
+          sourcetype: osquery:results