diff --git a/behavior/rules/collection_sensitive_file_access_followed_by_compression.toml b/behavior/rules/collection_sensitive_file_access_followed_by_compression.toml new file mode 100644 index 00000000..1c6ee809 --- /dev/null +++ b/behavior/rules/collection_sensitive_file_access_followed_by_compression.toml @@ -0,0 +1,57 @@ +[rule] +description = """ +Detects when a sensitive file is accessed followed by the immediate creation of a compressed file. This activity can +indicate an attempt to collect sensitive local data and stage it for exfiltration. +""" +id = "58370744-f52b-4f28-aa06-469efd1e1825" +license = "Elastic License v2" +name = "Sensitive File Access followed by Compression" +os_list = ["macos"] +version = "1.0.4" + +query = ''' +sequence by process.entity_id with maxspan=15s +[file where event.action == "open" and not file.name : ("System.keychain", "login.keychain-db")] +[file where event.action == "modification" and file.extension : ("zip", "gzip", "gz") and + file.path : ("/Users/Shared/*", + "/Library/Logs/*", + "/Users/*/Library/Logs/*", + "/Library/WebServer/*", + "/Users/*/Library/WebServer/*", + "/Library/Graphics/*", + "/Users/*/Library/Graphics/*", + "/Library/Fonts/*", + "/Users/*/Library/Fonts/*", + "/private/var/root/Library/HTTPStorages/*", + "/tmp/*", + "/var/tmp/*", + "/private/tmp/*")] +''' + +min_endpoint_version = "8.11.1" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1074" +name = "Data Staged" +reference = "https://attack.mitre.org/techniques/T1074/" +[[threat.technique.subtechnique]] +id = "T1074.001" +name = "Local Data Staging" +reference = "https://attack.mitre.org/techniques/T1074/001/" + + + +[threat.tactic] +id = "TA0009" +name = "Collection" +reference = "https://attack.mitre.org/tactics/TA0009/" + +[internal] +min_endpoint_version = "8.11.1" diff --git a/behavior/rules/command_and_control_curl_execution_via_env_binary.toml b/behavior/rules/command_and_control_curl_execution_via_env_binary.toml new file mode 100644 index 00000000..724727b4 --- /dev/null +++ b/behavior/rules/command_and_control_curl_execution_via_env_binary.toml @@ -0,0 +1,44 @@ +[rule] +description = """ +Detects when curl is executed via the env binary. This is a common technique used by adversaries to avoid standard curl +focused detections. +""" +id = "6fbfa489-517a-4b1a-ada6-e88da2012e7b" +license = "Elastic License v2" +name = "Curl Execution via Env Binary" +os_list = ["macos"] +version = "1.0.4" + +query = ''' +sequence by process.parent.entity_id with maxspan=30s +[process where event.type == "start" and process.name : "env" and + process.args : "-c" and process.args : ("*curl*", "*nscurl*")] +[process where event.type == "start" and + process.name : ("bash", "sh", "zsh") and + process.args : "-c" and process.args : ("*curl*", "*nscurl*")] +[process where event.type == "start" and process.name : ("curl", "nscurl") and + not process.parent.executable : ("/Library/Developer/*", "/opt/homebrew/Cellar/*")] +''' + +min_endpoint_version = "8.5.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 2 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[internal] +min_endpoint_version = "8.5.0" diff --git a/behavior/rules/command_and_control_curl_execution_via_node.toml b/behavior/rules/command_and_control_curl_execution_via_node.toml new file mode 100644 index 00000000..a3962f97 --- /dev/null +++ b/behavior/rules/command_and_control_curl_execution_via_node.toml @@ -0,0 +1,46 @@ +[rule] +description = """ +Detects when curl or nscurl is executed as an argument of a shell interpreter via a node parent process. This is a +common technique used by malware to download additional payloads and evade traditional defenses. +""" +id = "1ef77794-f718-4bc0-a846-971c45aa00e7" +license = "Elastic License v2" +name = "Curl Execution via Node" +os_list = ["macos"] +reference = ["https://medium.com/@D00MFist/loads-of-fun-e1f0dac3d4f8"] +version = "1.0.4" + +query = ''' +process where event.type == "start" and process.parent.name : "node" and + ( + (process.name : ("sh", "bash", "zsh", "tclsh*") and + process.args : "-c" and + process.args : ("curl*", "nscurl*")) or + (process.name : ("curl", "nscurl")) + ) and + not process.args : ("curl -sfL https://raw.githubusercontent.com/lokalise/*", "*http://elastic:changeme@localhost:5601*") and + not process.Ext.effective_parent.executable : "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal" +''' + +min_endpoint_version = "8.7.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[internal] +min_endpoint_version = "8.7.0" diff --git a/behavior/rules/command_and_control_url_as_process_argument_via_installer_package.toml b/behavior/rules/command_and_control_url_as_process_argument_via_installer_package.toml new file mode 100644 index 00000000..dc4b7e67 --- /dev/null +++ b/behavior/rules/command_and_control_url_as_process_argument_via_installer_package.toml @@ -0,0 +1,53 @@ +[rule] +description = """ +Detects when a url is supplied as a command line argument to an installer package binary via the installer process +itself. This technique is a creative way to download a second stage payload and evade curl based detections. This +activity can be observed when in a pre or post install script it specifies a url as an argument to a binary included in +the package that when executed will reach out to the specified url. +""" +id = "b06dcea7-9ef3-428d-bd4d-80004f69200f" +license = "Elastic License v2" +name = "URL as Process Argument via Installer Package" +os_list = ["macos"] +version = "1.0.2" + +query = ''' +process where event.type == "start" and + process.Ext.effective_parent.executable : "/usr/sbin/installer" and + process.args : "http*" and + not process.name : ("wget", "curl", "git", "nscurl") and + not process.executable : ("/opt/homebrew/*", "/usr/local/Cellar/*", "/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Helpers/ksadmin") +''' + +min_endpoint_version = "8.7.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1071" +name = "Application Layer Protocol" +reference = "https://attack.mitre.org/techniques/T1071/" +[[threat.technique.subtechnique]] +id = "T1071.001" +name = "Web Protocols" +reference = "https://attack.mitre.org/techniques/T1071/001/" + + +[[threat.technique]] +id = "T1105" +name = "Ingress Tool Transfer" +reference = "https://attack.mitre.org/techniques/T1105/" + + +[threat.tactic] +id = "TA0011" +name = "Command and Control" +reference = "https://attack.mitre.org/tactics/TA0011/" + +[internal] +min_endpoint_version = "8.7.0" diff --git a/behavior/rules/credential_access_crypto_wallet_file_access_by_unsigned_or_untrusted_binary.toml b/behavior/rules/credential_access_crypto_wallet_file_access_by_unsigned_or_untrusted_binary.toml new file mode 100644 index 00000000..0652d7c5 --- /dev/null +++ b/behavior/rules/credential_access_crypto_wallet_file_access_by_unsigned_or_untrusted_binary.toml @@ -0,0 +1,56 @@ +[rule] +description = """ +Detects when a suspicious process attempts to access a crypto wallet sensitive file. This is an alpha version of this +rule and meant to be used to assess and test. +""" +id = "a3050eae-c8ae-434d-aeff-97112eddcb48" +license = "Elastic License v2" +name = "Crypto Wallet File Access by Unsigned or Untrusted Binary" +os_list = ["macos"] +version = "1.0.8" + +query = ''' +file where event.action == "open" and + file.path : ("/Users/*/.electrum/wallets/*", + "/Users/*/Library/Application Support/Exodus/exodus.wallet", + "/Users/*/Library/Application Support/Coinomi/wallets/*", + "/Users/*/Library/Application Support/atomic/Local Storage/leveldb/*", + "/Users/*/Library/Application Support/Google/Chrome/Default/Extensions/nkbihfbeogaeaoehlefnkodbefgpgknn/*", + "/Users/*/Library/Application Support/Google/Chrome/Default/Extensions/fhilaheimglignddkjgofkcbgekhenbh/*", + "/Users/*/Library/Application Support/Google/Chrome/Default/Extensions/odbfpeeihdkbihmopkbjmoonfanlbfcl/*", + "/Users/*/Library/Application Support/BraveSoftware/Brave-Browser/BraveWallet/*", + "/Users/*/Library/Application Support/BraveSoftware/Brave-Browser/Default/BraveWallet/Brave Wallet Storage/*", + "/Users/*/Library/Application Support/Firefox/Profiles/*/extensions/webextension@metamask.io.xpi", + "/Users/*/Library/Application Support/Microsoft Edge/Edge Wallet/*", + "/Users/*/Library/Application Support/Microsoft Edge/Default/Extensions/ejbalbakoplchlghecdalmeeeajnimhm/*") and + process.executable != null and + (process.code_signature.trusted == false or process.code_signature.exists == false) +''' + +min_endpoint_version = "8.11.1" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1552" +name = "Unsecured Credentials" +reference = "https://attack.mitre.org/techniques/T1552/" +[[threat.technique.subtechnique]] +id = "T1552.001" +name = "Credentials In Files" +reference = "https://attack.mitre.org/techniques/T1552/001/" + + + +[threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + +[internal] +min_endpoint_version = "8.11.1" diff --git a/behavior/rules/defense_evasion_dylib_load_via_untrusted_process_in_temporary_directory.toml b/behavior/rules/defense_evasion_dylib_load_via_untrusted_process_in_temporary_directory.toml new file mode 100644 index 00000000..2714106c --- /dev/null +++ b/behavior/rules/defense_evasion_dylib_load_via_untrusted_process_in_temporary_directory.toml @@ -0,0 +1,46 @@ +[rule] +description = """ +Identifies instances where a dynamic library (dylib) is loaded by an untrusted process on macOS. Threat actors may abuse +this technique by leveraging compromised or malicious processes to load dylibs for code injection, persistence, or +privilege escalation. When a dylib is loaded by an untrusted or unsigned process, it may indicate that the process +itself is malicious or has been tampered with, bypassing security mechanisms that rely on process code signing to +validate the integrity and authenticity of the process. +""" +id = "f8367f4d-08ca-4865-840c-7cb965a14eeb" +license = "Elastic License v2" +name = "Dylib Load via Untrusted Process in Temporary Directory" +os_list = ["macos"] +version = "1.0.18" + +query = ''' +library where event.action == "load" and + process.executable : ("/tmp/*", "/var/tmp/*", "/private/tmp/*") and + process.code_signature.trusted == false and + not process.code_signature.status : "errorCode_endpoint*" and + not Effective_process.executable : "/opt/homebrew/*" and + not dll.path : ("/Applications/Xcode.app/*", "/Applications/Xcode-*.app/*", "/opt/homebrew/*") and + not (Effective_process.executable : "/nix/store/*" and dll.path : "/nix/store/*") +''' + +min_endpoint_version = "8.11.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + + +[threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[internal] +min_endpoint_version = "8.11.0" diff --git a/behavior/rules/defense_evasion_linux_file_made_executable_by_suspicious_parent.toml b/behavior/rules/defense_evasion_linux_file_made_executable_by_suspicious_parent.toml new file mode 100644 index 00000000..f7365710 --- /dev/null +++ b/behavior/rules/defense_evasion_linux_file_made_executable_by_suspicious_parent.toml @@ -0,0 +1,49 @@ +[rule] +description = """ +Detects when a file located in a suspicious location is made executable using chmod via an abnormal or suspicious parent +process. Malware will often drop a second stage payload or file and will need to make it executable before invoking it. +""" +id = "742037b3-3ef6-4a33-84ed-b26fc6ae322c" +license = "Elastic License v2" +name = "Linux File Made Executable by Suspicious Parent" +os_list = ["linux"] +version = "1.0.4" + +query = ''' +process where event.action == "exec" and event.type == "start" and process.name == "chmod" and +process.args : ("+x", "a+x", "0777", "755", "777") and process.args : "/dev/shm/*" and +process.parent.executable != null +''' + +min_endpoint_version = "7.15.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" +[[threat.technique.subtechnique]] +id = "T1222.002" +name = "Linux and Mac File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/002/" + + +[[threat.technique]] +id = "T1564" +name = "Hide Artifacts" +reference = "https://attack.mitre.org/techniques/T1564/" + + +[threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[internal] +min_endpoint_version = "7.15.0" diff --git a/behavior/rules/defense_evasion_linux_shared_object_load_via_ssh_keygen.toml b/behavior/rules/defense_evasion_linux_shared_object_load_via_ssh_keygen.toml new file mode 100644 index 00000000..0c42aebb --- /dev/null +++ b/behavior/rules/defense_evasion_linux_shared_object_load_via_ssh_keygen.toml @@ -0,0 +1,45 @@ +[rule] +description = """ +Detects when the ssh-keygen binary is executed with the -D argument which can be used to load a malicious shared object +into memory. +""" +id = "cc29bf55-8d7f-45df-b8fe-212968c8951c" +license = "Elastic License v2" +name = "Linux Shared Object Load via SSH-Keygen" +os_list = ["linux"] +reference = [ + "https://medium.com/@D00MFist/generate-keys-or-generate-dylib-loads-c99ed48f323d", + "https://gtfobins.github.io/gtfobins/ssh-keygen/", +] +version = "1.0.3" + +query = ''' +process where event.action == "exec" and event.type == "start" and process.name == "ssh-keygen" and +process.args == "-D" and process.args_count >= 3 and not process.args : ( + "/lib/*", "/usr/lib/*", "/usr/local/lib/*", + "/lib64/*", "/usr/lib64/*", "/usr/local/lib64/*" +) +''' + +min_endpoint_version = "7.15.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + + +[threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[internal] +min_endpoint_version = "7.15.0" diff --git a/behavior/rules/defense_evasion_payload_decoded_and_decrypted_via_built_in_utilities.toml b/behavior/rules/defense_evasion_payload_decoded_and_decrypted_via_built_in_utilities.toml index d9bdf963..d4f8ba88 100644 --- a/behavior/rules/defense_evasion_payload_decoded_and_decrypted_via_built_in_utilities.toml +++ b/behavior/rules/defense_evasion_payload_decoded_and_decrypted_via_built_in_utilities.toml @@ -10,7 +10,7 @@ license = "Elastic License v2" name = "Payload Decoded and Decrypted via Built-In Utilities" os_list = ["macos"] reference = ["https://attack.mitre.org/software/S0482/", "https://attack.mitre.org/software/S0402/"] -version = "1.0.28" +version = "1.0.29" query = ''' process where event.action == "exec" and process.name == "openssl" and @@ -18,7 +18,12 @@ process where event.action == "exec" and process.name == "openssl" and // openssl base64-decoding data process.args : "-base64" and // openssl decrypting input data - process.args : "-d" + process.args : "-d" and + process.args_count > 4 and + not process.Ext.effective_parent.executable : ("/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Applications/iTerm.app/Contents/MacOS/iTerm2", + "/usr/local/jamf/bin/jamf", + "/Library/Addigy/go-agent") ''' min_endpoint_version = "8.7.0" diff --git a/behavior/rules/execution_command_execution_via_screen_session.toml b/behavior/rules/execution_command_execution_via_screen_session.toml new file mode 100644 index 00000000..edeb5466 --- /dev/null +++ b/behavior/rules/execution_command_execution_via_screen_session.toml @@ -0,0 +1,46 @@ +[rule] +description = """ +Detects the execution of the screen binary to execute a command or commands via a shell. Threat actors have used this +technique via interactive sessions to execute commands on the host and avoid standard detections. +""" +id = "232c03d2-ff5d-4ec5-88b5-5926dc491e91" +license = "Elastic License v2" +name = "Command Execution via Screen Session" +os_list = ["macos"] +version = "1.0.3" + +query = ''' +process where event.type == "start" and event.action == "exec" and + process.name : "screen" and + process.args : ("/bin/bash", "/usr/bin/bash", "/bin/sh", "/usr/bin/sh", "/bin/zsh", "/usr/bin/zsh", "bash", "sh", "zsh") and + process.args : "-c" and + not process.Ext.effective_parent.executable : "/Applications/kitty.app/Contents/MacOS/kitty" +''' + +min_endpoint_version = "8.7.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + + +[threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[internal] +min_endpoint_version = "8.7.0" diff --git a/behavior/rules/execution_powershell_encoded_command.toml b/behavior/rules/execution_powershell_encoded_command.toml new file mode 100644 index 00000000..37d36263 --- /dev/null +++ b/behavior/rules/execution_powershell_encoded_command.toml @@ -0,0 +1,52 @@ +[rule] +description = """ +Detects process events where the process is Powershell (pwsh) or a shell interpreter (sh, bash, zsh) with the encoded +command flag set in the process arguments. Powershell usage on macOS is extremely rare but usage of Powershell with the +encoded command flag, used for executing base64 encoded command strings, is almost always inherently malicous. +""" +id = "4abb4f46-2066-4769-b073-dca491067e1b" +license = "Elastic License v2" +name = "Powershell Encoded Command" +os_list = ["macos"] +version = "1.0.12" + +query = ''' +process where event.type == "start" and process.args : ("-EncodedCommand", "-enc") and + process.name : ("sh", "bash", "zsh", "pwsh") and + not process.args : "/Applications/Visual Studio Code.app/*" and + not process.executable : "/Applications/Docker.app/Contents/Resources/bin/docker" and + not process.parent.executable : ("/Applications/Docker.app/Contents/Resources/bin/com.docker.cli", + "/Applications/Docker.app/Contents/Resources/bin/docker") and + not process.Ext.effective_parent.name : "electron" and + not ((process.name : "zsh" and process.parent.name : "zsh") or + (process.name : "pwsh" and process.parent.name : "pwsh") or + (process.name : "pwsh" and process.parent.name : "Code Helper")) +''' + +min_endpoint_version = "8.7.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[internal] +min_endpoint_version = "8.7.0" diff --git a/behavior/rules/execution_suspicious_child_process_execution_via_interactive_shell.toml b/behavior/rules/execution_suspicious_child_process_execution_via_interactive_shell.toml new file mode 100644 index 00000000..a8c9bbb5 --- /dev/null +++ b/behavior/rules/execution_suspicious_child_process_execution_via_interactive_shell.toml @@ -0,0 +1,49 @@ +[rule] +description = """ +Detects when a process is executed via an interactive shell. C2 platforms will commonly spawn an interactive shell +providing the threat actor with a remote shell on the system as if they were physically at the terminal allowing them to +send and execute commands manually. +""" +id = "f10a679a-c266-494f-b3aa-53830949d288" +license = "Elastic License v2" +name = "Suspicious Child Process Execution via Interactive Shell" +os_list = ["macos"] +version = "1.0.11" + +query = ''' +sequence by process.Ext.effective_parent.entity_id with maxspan=30s +[process where event.type == "start" and event.action == "exec" and process.name : ("zsh", " bash", "sh") and process.args : "-i" and process.args_count <= 2] +[process where event.type == "start" and event.action == "exec" and + process.name : ("nscurl", "wget", "ssh", "whoami", "dscl", "osascript", ".*") and + not process.args : "SendEnv=GIT_PROTOCOL" and + not process.parent.executable : ("/Library/Developer/CommandLineTools/usr/bin/git", + "/opt/homebrew/Cellar/git/*")] +''' + +min_endpoint_version = "8.7.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[threat.technique.subtechnique]] +id = "T1059.004" +name = "Unix Shell" +reference = "https://attack.mitre.org/techniques/T1059/004/" + + + +[threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + +[internal] +min_endpoint_version = "8.7.0" diff --git a/behavior/rules/persistence_dock_tile_plug_in_load.toml b/behavior/rules/persistence_dock_tile_plug_in_load.toml new file mode 100644 index 00000000..fb005824 --- /dev/null +++ b/behavior/rules/persistence_dock_tile_plug_in_load.toml @@ -0,0 +1,41 @@ +[rule] +description = """ +Detects when an Application's Dock Tile Plugin gets mapped into memory by the macOS XPC external dock service process. +Threat actors can add Dock Tile Plugins to their applications (APP_NAME.app/Contents/PlugIns/DockTile). The plugin will +be recognized by launch services, registered, and the plugin will be loaded. These plugins are not visible to the user, +can react to various system events, and will be loaded at each login, so persists across reboots, and runs inside a +legitimate system process which is not sandboxed. +""" +id = "6fc9c19f-0315-482c-b056-e20a8d0f1b2e" +license = "Elastic License v2" +name = "Dock Tile Plug-In Load" +os_list = ["macos"] +reference = ["https://theevilbit.github.io/beyond/beyond_0032/"] +version = "1.0.3" + +query = ''' +library where event.action == "load" and process.name : "com.apple.dock.external.extra.arm64" +''' + +min_endpoint_version = "8.7.0" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" + + +[threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[internal] +min_endpoint_version = "8.7.0" diff --git a/behavior/rules/persistence_suspicious_launch_service_property_list_file_creation.toml b/behavior/rules/persistence_suspicious_launch_service_property_list_file_creation.toml index d6ff384b..303cb6f4 100644 --- a/behavior/rules/persistence_suspicious_launch_service_property_list_file_creation.toml +++ b/behavior/rules/persistence_suspicious_launch_service_property_list_file_creation.toml @@ -10,10 +10,11 @@ license = "Elastic License v2" name = "Suspicious Launch Service Property List File Creation" os_list = ["macos"] reference = ["https://redcanary.com/blog/clipping-silver-sparrows-wings/"] -version = "1.0.30" +version = "1.0.31" query = ''' -persistence where event.action == "launch_daemon" and process.name : "plistbuddy" and (Persistence.runatload == true or Persistence.keepalive == true) +persistence where event.action == "launch_daemon" and process.name : "plistbuddy" and (Persistence.runatload == true or Persistence.keepalive == true) and + not Persistence.args : "/Library/Application Support/JamfAppInstallers/*" ''' min_endpoint_version = "8.11.0" diff --git a/behavior/rules/privilege_escalation_executewithprivileges_prompt_via_unsigned_or_untrusted_application.toml b/behavior/rules/privilege_escalation_executewithprivileges_prompt_via_unsigned_or_untrusted_application.toml new file mode 100644 index 00000000..eab7b164 --- /dev/null +++ b/behavior/rules/privilege_escalation_executewithprivileges_prompt_via_unsigned_or_untrusted_application.toml @@ -0,0 +1,64 @@ +[rule] +description = """ +Detects the use of the AuthorizationExecuteWithPrivileges function to provide the user a password prompt via an unsigned +or untrusted application. Threat actors have recently used this in order to trick users into providing their malicious +application with higher privileges. +""" +id = "559fc9c7-f2fd-4fd9-af07-df8b7408e0b8" +license = "Elastic License v2" +name = "ExecuteWithPrivileges Prompt via Unsigned or Untrusted Application" +os_list = ["macos"] +reference = ["https://securelist.com/new-macos-backdoor-crypto-stealer/111778/"] +version = "1.0.1" + +query = ''' +process where event.type : "start" and event.action == "exec" and process.name: "security_authtrampoline" and + process.args : ("/Applications/*", "/Volumes/*") and process.args : "auth*" and + (process.parent.code_signature.exists == false or process.parent.code_signature.trusted == false) and + process.Ext.effective_parent.executable : ("/Applications/*", "/Volumes/*") +''' + +min_endpoint_version = "8.10.2" +optional_actions = [] +[[actions]] +action = "kill_process" +field = "process.entity_id" +state = 0 + +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" + + + +[threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[threat]] +framework = "MITRE ATT&CK" +[[threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" + + + +[threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[internal] +min_endpoint_version = "8.10.2"