Updating artifacts

behavior/rules/collection_sensitive_file_access_followed_by_compression.toml

@@ -0,0 +1,57 @@
+[rule]
+description = """
+Detects when a sensitive file is accessed followed by the immediate creation of a compressed file. This activity can
+indicate an attempt to collect sensitive local data and stage it for exfiltration.
+"""
+id = "58370744-f52b-4f28-aa06-469efd1e1825"
+license = "Elastic License v2"
+name = "Sensitive File Access followed by Compression"
+os_list = ["macos"]
+version = "1.0.4"
+
+query = '''
+sequence by process.entity_id with maxspan=15s
+[file where event.action == "open" and not file.name : ("System.keychain", "login.keychain-db")]
+[file where event.action == "modification" and file.extension : ("zip", "gzip", "gz") and 
+  file.path : ("/Users/Shared/*",
+               "/Library/Logs/*",
+               "/Users/*/Library/Logs/*",
+               "/Library/WebServer/*",
+               "/Users/*/Library/WebServer/*",
+               "/Library/Graphics/*",
+               "/Users/*/Library/Graphics/*",
+               "/Library/Fonts/*",
+               "/Users/*/Library/Fonts/*",
+               "/private/var/root/Library/HTTPStorages/*",
+               "/tmp/*",
+               "/var/tmp/*",
+               "/private/tmp/*")]
+'''
+
+min_endpoint_version = "8.11.1"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1074"
+name = "Data Staged"
+reference = "https://attack.mitre.org/techniques/T1074/"
+[[threat.technique.subtechnique]]
+id = "T1074.001"
+name = "Local Data Staging"
+reference = "https://attack.mitre.org/techniques/T1074/001/"
+
+
+
+[threat.tactic]
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
+
+[internal]
+min_endpoint_version = "8.11.1"

behavior/rules/command_and_control_curl_execution_via_env_binary.toml

@@ -0,0 +1,44 @@
+[rule]
+description = """
+Detects when curl is executed via the env binary. This is a common technique used by adversaries to avoid standard curl
+focused detections.
+"""
+id = "6fbfa489-517a-4b1a-ada6-e88da2012e7b"
+license = "Elastic License v2"
+name = "Curl Execution via Env Binary"
+os_list = ["macos"]
+version = "1.0.4"
+
+query = '''
+sequence by process.parent.entity_id with maxspan=30s
+[process where event.type == "start" and process.name : "env" and 
+  process.args : "-c" and process.args : ("*curl*", "*nscurl*")]
+[process where event.type == "start" and 
+  process.name : ("bash", "sh", "zsh") and 
+  process.args : "-c" and process.args : ("*curl*", "*nscurl*")]
+[process where event.type == "start" and process.name : ("curl", "nscurl") and
+  not process.parent.executable : ("/Library/Developer/*", "/opt/homebrew/Cellar/*")]
+'''
+
+min_endpoint_version = "8.5.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 2
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[internal]
+min_endpoint_version = "8.5.0"

behavior/rules/command_and_control_curl_execution_via_node.toml

@@ -0,0 +1,46 @@
+[rule]
+description = """
+Detects when curl or nscurl is executed as an argument of a shell interpreter via a node parent process. This is a
+common technique used by malware to download additional payloads and evade traditional defenses.
+"""
+id = "1ef77794-f718-4bc0-a846-971c45aa00e7"
+license = "Elastic License v2"
+name = "Curl Execution via Node"
+os_list = ["macos"]
+reference = ["https://medium.com/@D00MFist/loads-of-fun-e1f0dac3d4f8"]
+version = "1.0.4"
+
+query = '''
+process where event.type == "start" and process.parent.name : "node" and
+ (
+  (process.name : ("sh", "bash", "zsh", "tclsh*") and 
+    process.args : "-c" and 
+    process.args : ("curl*", "nscurl*")) or 
+  (process.name : ("curl", "nscurl"))
+ ) and
+ not process.args : ("curl -sfL https://raw.githubusercontent.com/lokalise/*", "*http://elastic:changeme@localhost:5601*") and
+ not process.Ext.effective_parent.executable : "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal"
+'''
+
+min_endpoint_version = "8.7.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[internal]
+min_endpoint_version = "8.7.0"

behavior/rules/command_and_control_url_as_process_argument_via_installer_package.toml

@@ -0,0 +1,53 @@
+[rule]
+description = """
+Detects when a url is supplied as a command line argument to an installer package binary via the installer process
+itself. This technique is a creative way to download a second stage payload and evade curl based detections. This
+activity can be observed when in a pre or post install script it specifies a url as an argument to a binary included in
+the package that when executed will reach out to the specified url.
+"""
+id = "b06dcea7-9ef3-428d-bd4d-80004f69200f"
+license = "Elastic License v2"
+name = "URL as Process Argument via Installer Package"
+os_list = ["macos"]
+version = "1.0.2"
+
+query = '''
+process where event.type == "start" and 
+ process.Ext.effective_parent.executable : "/usr/sbin/installer" and
+ process.args : "http*" and 
+ not process.name : ("wget", "curl", "git", "nscurl") and 
+ not process.executable : ("/opt/homebrew/*", "/usr/local/Cellar/*", "/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksadmin")
+'''
+
+min_endpoint_version = "8.7.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+[[threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"
+
+
+[[threat.technique]]
+id = "T1105"
+name = "Ingress Tool Transfer"
+reference = "https://attack.mitre.org/techniques/T1105/"
+
+
+[threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[internal]
+min_endpoint_version = "8.7.0"

behavior/rules/credential_access_crypto_wallet_file_access_by_unsigned_or_untrusted_binary.toml

@@ -0,0 +1,56 @@
+[rule]
+description = """
+Detects when a suspicious process attempts to access a crypto wallet sensitive file. This is an alpha version of this
+rule and meant to be used to assess and test.
+"""
+id = "a3050eae-c8ae-434d-aeff-97112eddcb48"
+license = "Elastic License v2"
+name = "Crypto Wallet File Access by Unsigned or Untrusted Binary"
+os_list = ["macos"]
+version = "1.0.8"
+
+query = '''
+file where event.action == "open" and 
+ file.path : ("/Users/*/.electrum/wallets/*", 
+              "/Users/*/Library/Application Support/Exodus/exodus.wallet", 
+              "/Users/*/Library/Application Support/Coinomi/wallets/*",
+              "/Users/*/Library/Application Support/atomic/Local Storage/leveldb/*",
+              "/Users/*/Library/Application Support/Google/Chrome/Default/Extensions/nkbihfbeogaeaoehlefnkodbefgpgknn/*",
+              "/Users/*/Library/Application Support/Google/Chrome/Default/Extensions/fhilaheimglignddkjgofkcbgekhenbh/*",
+              "/Users/*/Library/Application Support/Google/Chrome/Default/Extensions/odbfpeeihdkbihmopkbjmoonfanlbfcl/*",
+              "/Users/*/Library/Application Support/BraveSoftware/Brave-Browser/BraveWallet/*",
+              "/Users/*/Library/Application Support/BraveSoftware/Brave-Browser/Default/BraveWallet/Brave Wallet Storage/*",
+              "/Users/*/Library/Application Support/Firefox/Profiles/*/extensions/[email protected]",
+              "/Users/*/Library/Application Support/Microsoft Edge/Edge Wallet/*",
+              "/Users/*/Library/Application Support/Microsoft Edge/Default/Extensions/ejbalbakoplchlghecdalmeeeajnimhm/*") and
+  process.executable != null and
+  (process.code_signature.trusted == false or process.code_signature.exists == false)
+'''
+
+min_endpoint_version = "8.11.1"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1552"
+name = "Unsecured Credentials"
+reference = "https://attack.mitre.org/techniques/T1552/"
+[[threat.technique.subtechnique]]
+id = "T1552.001"
+name = "Credentials In Files"
+reference = "https://attack.mitre.org/techniques/T1552/001/"
+
+
+
+[threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+
+[internal]
+min_endpoint_version = "8.11.1"

behavior/rules/defense_evasion_dylib_load_via_untrusted_process_in_temporary_directory.toml

@@ -0,0 +1,46 @@
+[rule]
+description = """
+Identifies instances where a dynamic library (dylib) is loaded by an untrusted process on macOS. Threat actors may abuse
+this technique by leveraging compromised or malicious processes to load dylibs for code injection, persistence, or
+privilege escalation. When a dylib is loaded by an untrusted or unsigned process, it may indicate that the process
+itself is malicious or has been tampered with, bypassing security mechanisms that rely on process code signing to
+validate the integrity and authenticity of the process.
+"""
+id = "f8367f4d-08ca-4865-840c-7cb965a14eeb"
+license = "Elastic License v2"
+name = "Dylib Load via Untrusted Process in Temporary Directory"
+os_list = ["macos"]
+version = "1.0.18"
+
+query = '''
+library where event.action == "load" and 
+ process.executable : ("/tmp/*", "/var/tmp/*", "/private/tmp/*") and
+ process.code_signature.trusted == false and
+ not process.code_signature.status : "errorCode_endpoint*" and 
+ not Effective_process.executable : "/opt/homebrew/*" and
+ not dll.path : ("/Applications/Xcode.app/*", "/Applications/Xcode-*.app/*", "/opt/homebrew/*") and
+ not (Effective_process.executable : "/nix/store/*" and dll.path : "/nix/store/*")
+'''
+
+min_endpoint_version = "8.11.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1574"
+name = "Hijack Execution Flow"
+reference = "https://attack.mitre.org/techniques/T1574/"
+
+
+[threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[internal]
+min_endpoint_version = "8.11.0"

behavior/rules/defense_evasion_linux_file_made_executable_by_suspicious_parent.toml

@@ -0,0 +1,49 @@
+[rule]
+description = """
+Detects when a file located in a suspicious location is made executable using chmod via an abnormal or suspicious parent
+process. Malware will often drop a second stage payload or file and will need to make it executable before invoking it.
+"""
+id = "742037b3-3ef6-4a33-84ed-b26fc6ae322c"
+license = "Elastic License v2"
+name = "Linux File Made Executable by Suspicious Parent"
+os_list = ["linux"]
+version = "1.0.4"
+
+query = '''
+process where event.action == "exec" and event.type == "start" and process.name == "chmod" and
+process.args : ("+x", "a+x", "0777", "755", "777") and process.args : "/dev/shm/*" and
+process.parent.executable != null
+'''
+
+min_endpoint_version = "7.15.0"
+optional_actions = []
+[[actions]]
+action = "kill_process"
+field = "process.entity_id"
+state = 0
+
+[[threat]]
+framework = "MITRE ATT&CK"
+[[threat.technique]]
+id = "T1222"
+name = "File and Directory Permissions Modification"
+reference = "https://attack.mitre.org/techniques/T1222/"
+[[threat.technique.subtechnique]]
+id = "T1222.002"
+name = "Linux and Mac File and Directory Permissions Modification"
+reference = "https://attack.mitre.org/techniques/T1222/002/"
+
+
+[[threat.technique]]
+id = "T1564"
+name = "Hide Artifacts"
+reference = "https://attack.mitre.org/techniques/T1564/"
+
+
+[threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+
+[internal]
+min_endpoint_version = "7.15.0"