DMG File Information Queries

When Cybereason identifies a malicious file, it is useful to identify the mount point from which the file originated. In Mac environments, DMGs (Apple Disk Images) are a type of mount point. When opened, DMG files are mounted to a file system and can be accessed. Once mounted, files contained in DMGs can be executed from within the DMG or copied to applications folder. Every executable file associated with a DMG can be traced back to the DMG file that created it, even if the DMG file created a local instance that runs from outside the DMG.

The example queries in this section are meant to be a starting point for your investigations. You may need to update the Features (filters) in each query to use indicators specific to your environment or situation.

Each of these examples is formatted with the individual Element in the query on its own separate line, in bold text. Features (filters) applied to the Element follow the Element name in regular weight text. Each example also contains a description of the goal of the hunt and the explanatory statement of what you want to find.

In this topic:

Find files or processes originating from DMG files
Find mount points that mount DMG files
Find DMG files that were mounted

Find files or processes originating from DMG files

Goal: Search for files or processes that came from DMG files on a Mac machine.

Explanatory statement: I want to find files and processes that originated from a DMG file.

Construct one of these two possible queries:

Option 1: File Element THEN

Mount point Element -> filter for Media type is Disk image file

Afterwards, select a file from the results list to display the element details screen and view details on the associated mount point.

Option 2 (valid only if processes were run from the DMG): File Element THEN

Mount point Element -> filter for Media type is Disk image file

If processes were run from the DMG, Cybereason will display a Files section in the mount point details screen that lists files mounted from that DMG mount point.

Find mount points that mount DMG files

Goal: Find different mount points for DMG files in your Mac machines.

Explanatory statement: I want to find different mount points of DMG files.

Construct this query:

Mount point Element -> Media type is Disk image file

Find DMG files that were mounted

Goal: Find a list of all DMG files actually mounted on the Mac machine.

Explanatory statement: I want to find a list of all DMG files that actually have been mounted on a machine.

Construct this query:

Mount point Element -> Media type is Disk image file

Then, select a mount point from the results list to display details for the mount point. The file that mounted this mount point is listed as Mounted from image file in the Properties section.

Click the file link for more information on the file.