From 7acb75486247cde5e1568a8c2458e29abab404b8 Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Tue, 28 Nov 2023 20:41:18 +0000 Subject: [PATCH 1/2] Update latest docs --- ...ess-of-stored-browser-credentials.asciidoc | 86 +++++++++ ...-keychain-credentials-directories.asciidoc | 92 ++++++++++ ...ured-with-never-expiring-password.asciidoc | 105 +++++++++++ ...on-followed-by-network-connection.asciidoc | 82 +++++++++ ...ion-with-administrator-privileges.asciidoc | 71 ++++++++ ...0-7-attempt-to-disable-gatekeeper.asciidoc | 63 +++++++ ...ttempt-to-enable-the-root-account.asciidoc | 66 +++++++ ...tempt-to-install-root-certificate.asciidoc | 68 +++++++ ...-mount-smb-share-via-command-line.asciidoc | 73 ++++++++ ...-remove-file-quarantine-attribute.asciidoc | 72 ++++++++ ...ndpoint-security-kernel-extension.asciidoc | 76 ++++++++ ...authorization-plugin-modification.asciidoc | 69 +++++++ ...on-of-a-hidden-local-user-account.asciidoc | 109 +++++++++++ ...-of-hidden-launch-agent-or-daemon.asciidoc | 86 +++++++++ ...idden-login-item-via-apple-script.asciidoc | 81 +++++++++ ...ount-hashes-via-built-in-commands.asciidoc | 63 +++++++ ...hain-content-via-security-command.asciidoc | 65 +++++++ ...nd-rules-creation-or-modification.asciidoc | 67 +++++++ ...s-or-groups-via-built-in-commands.asciidoc | 89 +++++++++ ...tron-child-process-node-js-module.asciidoc | 72 ++++++++ ...xplicit-credentials-via-scripting.asciidoc | 81 +++++++++ ...ync-plugin-registered-and-enabled.asciidoc | 75 ++++++++ ...ta-user-session-started-via-proxy.asciidoc | 97 ++++++++++ ...seen-newcredentials-logon-process.asciidoc | 66 +++++++ ...rberos-cached-credentials-dumping.asciidoc | 72 ++++++++ ...ssword-retrieval-via-command-line.asciidoc | 79 ++++++++ ...odification-and-immediate-loading.asciidoc | 69 +++++++ ...odification-and-immediate-loading.asciidoc | 63 +++++++ ...ller-package-spawns-network-event.asciidoc | 82 +++++++++ ...nvironment-variable-via-launchctl.asciidoc | 78 ++++++++ ...ari-settings-via-defaults-command.asciidoc | 75 ++++++++ ...dresses-for-a-single-user-session.asciidoc | 77 ++++++++ ...ssions-detected-for-a-single-user.asciidoc | 76 ++++++++ ...s-with-the-same-device-token-hash.asciidoc | 75 ++++++++ ...-authentication-behavior-detected.asciidoc | 92 ++++++++++ ...ntity-provider-idp-added-by-admin.asciidoc | 102 +++++++++++ ...-okta-fastpass-phishing-detection.asciidoc | 72 ++++++++ ...ign-in-events-via-third-party-idp.asciidoc | 116 ++++++++++++ ...arted-from-different-geolocations.asciidoc | 77 ++++++++ ...ectoryservice-plugin-modification.asciidoc | 62 +++++++ ...-via-docker-shortcut-modification.asciidoc | 63 +++++++ ...sistence-via-folder-action-script.asciidoc | 74 ++++++++ ...sistence-via-login-or-logout-hook.asciidoc | 70 ++++++++ ...tial-admin-group-account-addition.asciidoc | 66 +++++++ ...idden-local-user-account-creation.asciidoc | 66 +++++++ ...ntial-kerberos-attack-via-bifrost.asciidoc | 79 ++++++++ ...al-macos-ssh-brute-force-detected.asciidoc | 61 +++++++ ...-microsoft-office-sandbox-evasion.asciidoc | 63 +++++++ ...fa-bombing-via-push-notifications.asciidoc | 112 ++++++++++++ ...via-atom-init-script-modification.asciidoc | 63 +++++++ ...ential-persistence-via-login-hook.asciidoc | 82 +++++++++ ...al-persistence-via-periodic-tasks.asciidoc | 68 +++++++ ...-bypass-via-localhost-secure-copy.asciidoc | 74 ++++++++ ...rol-bypass-via-tccdb-modification.asciidoc | 69 +++++++ ...fa-bombing-via-push-notifications.asciidoc | 111 ++++++++++++ ...ia-root-crontab-file-modification.asciidoc | 67 +++++++ ...pt-for-credentials-with-osascript.asciidoc | 67 +++++++ ...-remote-execution-via-file-shares.asciidoc | 125 +++++++++++++ ...7-remote-file-copy-via-teamviewer.asciidoc | 138 ++++++++++++++ ...n-enabled-via-systemsetup-command.asciidoc | 70 ++++++++ ...le-modified-by-unexpected-process.asciidoc | 105 +++++++++++ ...ell-execution-via-apple-scripting.asciidoc | 64 +++++++ ...reupdate-preferences-modification.asciidoc | 67 +++++++ ...r-application-script-modification.asciidoc | 74 ++++++++ ...ous-automator-workflows-execution.asciidoc | 63 +++++++ ...-suspicious-browser-child-process.asciidoc | 89 +++++++++ ...icious-calendar-file-modification.asciidoc | 75 ++++++++ ...obe-acrobat-reader-update-service.asciidoc | 73 ++++++++ ...-crontab-creation-or-modification.asciidoc | 67 +++++++ ...-7-suspicious-emond-child-process.asciidoc | 89 +++++++++ ...s-hidden-child-process-of-launchd.asciidoc | 81 +++++++++ ...ous-macos-ms-office-child-process.asciidoc | 99 ++++++++++ ...ious-managed-code-hosting-process.asciidoc | 74 ++++++++ ...suspicious-werfault-child-process.asciidoc | 101 +++++++++++ ...systemkey-access-via-command-line.asciidoc | 66 +++++++ ...-via-mounted-apfs-snapshot-access.asciidoc | 63 +++++++ ...ocess-of-macos-screensaver-engine.asciidoc | 81 +++++++++ ...rivate-network-connection-attempt.asciidoc | 68 +++++++ ...-7-webproxy-settings-modification.asciidoc | 66 +++++++ .../prebuilt-rules-8-10-7-appendix.asciidoc | 85 +++++++++ .../prebuilt-rules-8-10-7-summary.asciidoc | 170 ++++++++++++++++++ ...ebuilt-rules-downloadable-updates.asciidoc | 5 + .../prebuilt-rules-reference.asciidoc | 148 ++++++++------- .../prebuilt-rules/rule-desc-index.asciidoc | 13 +- ...ess-of-stored-browser-credentials.asciidoc | 3 +- ...-keychain-credentials-directories.asciidoc | 3 +- ...ured-with-never-expiring-password.asciidoc | 3 +- ...-hidden-file-attribute-via-attrib.asciidoc | 2 +- .../adobe-hijack-persistence.asciidoc | 2 +- ...-process-for-a-windows-population.asciidoc | 2 +- ...nomalous-windows-process-creation.asciidoc | 2 +- ...on-followed-by-network-connection.asciidoc | 3 +- ...ion-with-administrator-privileges.asciidoc | 3 +- .../attempt-to-disable-gatekeeper.asciidoc | 3 +- ...ttempt-to-enable-the-root-account.asciidoc | 3 +- ...tempt-to-install-root-certificate.asciidoc | 3 +- ...-mount-smb-share-via-command-line.asciidoc | 3 +- ...-remove-file-quarantine-attribute.asciidoc | 3 +- ...ndpoint-security-kernel-extension.asciidoc | 3 +- ...authorization-plugin-modification.asciidoc | 3 +- .../bypass-uac-via-event-viewer.asciidoc | 2 +- ...dification-through-built-in-tools.asciidoc | 2 +- ...icy-modification-through-registry.asciidoc | 2 +- ...command-prompt-network-connection.asciidoc | 2 +- ...n-to-commonly-abused-web-services.asciidoc | 2 +- ...on-of-a-hidden-local-user-account.asciidoc | 1 + ...-of-hidden-launch-agent-or-daemon.asciidoc | 3 +- ...idden-login-item-via-apple-script.asciidoc | 3 +- .../direct-outbound-smb-connection.asciidoc | 2 +- ...ount-hashes-via-built-in-commands.asciidoc | 3 +- ...hain-content-via-security-command.asciidoc | 3 +- ...nd-rules-creation-or-modification.asciidoc | 3 +- ...rivileged-local-groups-membership.asciidoc | 2 +- ...s-or-groups-via-built-in-commands.asciidoc | 3 +- ...om-unusual-directory-command-line.asciidoc | 2 +- ...tron-child-process-node-js-module.asciidoc | 3 +- ...xplicit-credentials-via-scripting.asciidoc | 3 +- ...ync-plugin-registered-and-enabled.asciidoc | 3 +- ...ta-user-session-started-via-proxy.asciidoc | 97 ++++++++++ ...value-accessed-in-secrets-manager.asciidoc | 2 +- .../first-time-seen-driver-loaded.asciidoc | 2 +- ...seen-newcredentials-logon-process.asciidoc | 66 +++++++ ...rberos-cached-credentials-dumping.asciidoc | 3 +- ...eros-traffic-from-unusual-process.asciidoc | 2 +- ...ssword-retrieval-via-command-line.asciidoc | 3 +- ...odification-and-immediate-loading.asciidoc | 3 +- ...odification-and-immediate-loading.asciidoc | 3 +- .../linux-group-creation.asciidoc | 4 +- .../linux-user-account-creation.asciidoc | 4 +- ...ux-user-added-to-privileged-group.asciidoc | 4 +- .../lsass-memory-dump-creation.asciidoc | 2 +- .../lsass-memory-dump-handle-access.asciidoc | 2 +- ...ller-package-spawns-network-event.asciidoc | 2 +- ...ld-engine-using-an-alternate-name.asciidoc | 2 +- ...nvironment-variable-via-launchctl.asciidoc | 3 +- ...ari-settings-via-defaults-command.asciidoc | 3 +- ...sbuild-making-network-connections.asciidoc | 2 +- ...failure-followed-by-logon-success.asciidoc | 2 +- ...lure-from-the-same-source-address.asciidoc | 2 +- ...dresses-for-a-single-user-session.asciidoc | 77 ++++++++ ...ssions-detected-for-a-single-user.asciidoc | 76 ++++++++ ...s-with-the-same-device-token-hash.asciidoc | 75 ++++++++ .../network-connection-via-certutil.asciidoc | 2 +- ...connection-via-compiled-html-file.asciidoc | 2 +- ...nnection-via-registration-utility.asciidoc | 2 +- ...work-connection-via-signed-binary.asciidoc | 2 +- ...-authentication-behavior-detected.asciidoc | 92 ++++++++++ ...ntity-provider-idp-added-by-admin.asciidoc | 102 +++++++++++ .../new-systemd-timer-created.asciidoc | 4 +- .../okta-fastpass-phishing-detection.asciidoc | 72 ++++++++ ...ign-in-events-via-third-party-idp.asciidoc | 116 ++++++++++++ ...arted-from-different-geolocations.asciidoc | 77 ++++++++ ...ectoryservice-plugin-modification.asciidoc | 3 +- ...-via-docker-shortcut-modification.asciidoc | 3 +- ...sistence-via-folder-action-script.asciidoc | 3 +- ...sistence-via-login-or-logout-hook.asciidoc | 3 +- ...pdate-orchestrator-service-hijack.asciidoc | 2 +- ...-scripts-in-the-startup-directory.asciidoc | 2 +- ...tial-admin-group-account-addition.asciidoc | 3 +- ...n-interface-bypass-via-powershell.asciidoc | 2 +- ...ess-via-trusted-developer-utility.asciidoc | 2 +- ...ential-evasion-via-filter-manager.asciidoc | 2 +- ...idden-local-user-account-creation.asciidoc | 3 +- ...ntial-kerberos-attack-via-bifrost.asciidoc | 3 +- ...ux-backdoor-user-account-creation.asciidoc | 4 +- ...al-macos-ssh-brute-force-detected.asciidoc | 3 +- ...-microsoft-office-sandbox-evasion.asciidoc | 3 +- ...ication-of-accessibility-binaries.asciidoc | 2 +- ...fa-bombing-via-push-notifications.asciidoc | 112 ++++++++++++ ...rsistence-through-init-d-detected.asciidoc | 4 +- ...rough-motd-file-creation-detected.asciidoc | 4 +- ...ence-through-run-control-detected.asciidoc | 4 +- ...via-atom-init-script-modification.asciidoc | 3 +- ...ential-persistence-via-login-hook.asciidoc | 3 +- ...al-persistence-via-periodic-tasks.asciidoc | 3 +- ...-bypass-via-localhost-secure-copy.asciidoc | 3 +- ...rol-bypass-via-tccdb-modification.asciidoc | 3 +- ...alation-via-installerfiletakeover.asciidoc | 2 +- ...ote-code-execution-via-web-server.asciidoc | 4 +- ...indows-error-manager-masquerading.asciidoc | 2 +- ...fa-bombing-via-push-notifications.asciidoc | 111 ++++++++++++ .../powershell-psreflect-script.asciidoc | 2 +- ...us-payload-encoded-and-compressed.asciidoc | 2 +- ...tion-via-named-pipe-impersonation.asciidoc | 2 +- ...ia-root-crontab-file-modification.asciidoc | 3 +- .../privileged-account-brute-force.asciidoc | 2 +- ...s-activity-via-compiled-html-file.asciidoc | 2 +- ...-termination-followed-by-deletion.asciidoc | 2 +- ...pt-for-credentials-with-osascript.asciidoc | 3 +- ...istry-persistence-via-appinit-dll.asciidoc | 2 +- .../remote-execution-via-file-shares.asciidoc | 5 +- .../remote-file-copy-via-teamviewer.asciidoc | 4 +- ...oad-via-desktopimgdownldr-utility.asciidoc | 2 +- ...remote-file-download-via-mpcmdrun.asciidoc | 2 +- ...mote-file-download-via-powershell.asciidoc | 2 +- ...e-download-via-script-interpreter.asciidoc | 2 +- ...n-enabled-via-systemsetup-command.asciidoc | 3 +- ...remotely-started-services-via-rpc.asciidoc | 2 +- ...enamed-autoit-scripts-interpreter.asciidoc | 2 +- ...-executed-with-short-program-name.asciidoc | 2 +- ...le-modified-by-unexpected-process.asciidoc | 3 +- ...ol-spawned-via-script-interpreter.asciidoc | 2 +- ...ell-execution-via-apple-scripting.asciidoc | 3 +- ...reupdate-preferences-modification.asciidoc | 3 +- ...-persistence-via-unsigned-process.asciidoc | 2 +- ...-or-run-key-registry-modification.asciidoc | 2 +- ...rsistence-by-a-suspicious-process.asciidoc | 2 +- ...r-application-script-modification.asciidoc | 3 +- ...urst-command-and-control-activity.asciidoc | 2 +- ...us-antimalware-scan-interface-dll.asciidoc | 2 +- ...ous-automator-workflows-execution.asciidoc | 3 +- .../suspicious-browser-child-process.asciidoc | 2 +- ...icious-calendar-file-modification.asciidoc | 3 +- .../suspicious-certutil-commands.asciidoc | 2 +- ...obe-acrobat-reader-update-service.asciidoc | 3 +- ...-crontab-creation-or-modification.asciidoc | 2 +- .../suspicious-emond-child-process.asciidoc | 2 +- ...s-hidden-child-process-of-launchd.asciidoc | 3 +- ...ous-macos-ms-office-child-process.asciidoc | 2 +- ...ious-managed-code-hosting-process.asciidoc | 2 +- ...ous-net-reflection-via-powershell.asciidoc | 2 +- ...able-encoded-in-powershell-script.asciidoc | 2 +- ...us-print-spooler-spl-file-created.asciidoc | 2 +- ...ess-access-via-direct-system-call.asciidoc | 2 +- ...rocess-spawned-from-motd-detected.asciidoc | 4 +- ...rvice-was-installed-in-the-system.asciidoc | 2 +- ...startup-shell-folder-modification.asciidoc | 2 +- ...suspicious-werfault-child-process.asciidoc | 2 +- .../suspicious-zoom-child-process.asciidoc | 2 +- .../svchost-spawning-cmd.asciidoc | 2 +- .../system-shells-via-services.asciidoc | 2 +- ...systemkey-access-via-command-line.asciidoc | 3 +- ...-via-mounted-apfs-snapshot-access.asciidoc | 3 +- ...threat-intel-hash-indicator-match.asciidoc | 2 +- ...-intel-ip-address-indicator-match.asciidoc | 2 +- .../threat-intel-url-indicator-match.asciidoc | 2 +- ...-windows-registry-indicator-match.asciidoc | 2 +- ...ia-windows-directory-masquerading.asciidoc | 2 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 2 +- ...ocess-of-macos-screensaver-engine.asciidoc | 3 +- .../untrusted-driver-loaded.asciidoc | 2 +- ...tion-by-a-system-critical-process.asciidoc | 2 +- ...le-creation-alternate-data-stream.asciidoc | 2 +- ...vity-from-a-windows-system-binary.asciidoc | 2 +- ...unusual-parent-child-relationship.asciidoc | 2 +- ...nusual-process-for-a-windows-host.asciidoc | 2 +- ...rivate-network-connection-attempt.asciidoc | 3 +- .../webproxy-settings-modification.asciidoc | 3 +- ...ntial-dumping-using-netsh-command.asciidoc | 2 +- docs/index.asciidoc | 2 + 250 files changed, 7791 insertions(+), 286 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-access-of-stored-browser-credentials.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-access-to-keychain-credentials-directories.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-account-configured-with-never-expiring-password.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-apple-script-execution-followed-by-network-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-apple-scripting-execution-with-administrator-privileges.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-disable-gatekeeper.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-enable-the-root-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-install-root-certificate.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-mount-smb-share-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-remove-file-quarantine-attribute.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-authorization-plugin-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-a-hidden-local-user-account.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-hidden-launch-agent-or-daemon.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-hidden-login-item-via-apple-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-dumping-account-hashes-via-built-in-commands.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-dumping-of-keychain-content-via-security-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-emond-rules-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-enumeration-of-users-or-groups-via-built-in-commands.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-execution-via-electron-child-process-node-js-module.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-execution-with-explicit-credentials-via-scripting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-finder-sync-plugin-registered-and-enabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-first-occurrence-of-okta-user-session-started-via-proxy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-first-time-seen-newcredentials-logon-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-kerberos-cached-credentials-dumping.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-keychain-password-retrieval-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-launch-agent-creation-or-modification-and-immediate-loading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-macos-installer-package-spawns-network-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-modification-of-environment-variable-via-launchctl.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-modification-of-safari-settings-via-defaults-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-client-addresses-for-a-single-user-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-sessions-detected-for-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-users-with-the-same-device-token-hash.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-new-okta-authentication-behavior-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-new-okta-identity-provider-idp-added-by-admin.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-fastpass-phishing-detection.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-sign-in-events-via-third-party-idp.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-user-sessions-started-from-different-geolocations.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-directoryservice-plugin-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-docker-shortcut-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-folder-action-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-login-or-logout-hook.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-admin-group-account-addition.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-hidden-local-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-kerberos-attack-via-bifrost.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-macos-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-microsoft-office-sandbox-evasion.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-okta-mfa-bombing-via-push-notifications.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-atom-init-script-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-login-hook.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-periodic-tasks.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-tccdb-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potentially-successful-mfa-bombing-via-push-notifications.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-privilege-escalation-via-root-crontab-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-prompt-for-credentials-with-osascript.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-execution-via-file-shares.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-file-copy-via-teamviewer.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-ssh-login-enabled-via-systemsetup-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-screensaver-plist-file-modified-by-unexpected-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-shell-execution-via-apple-scripting.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-softwareupdate-preferences-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-sublime-plugin-or-application-script-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-automator-workflows-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-browser-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-calendar-file-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-crontab-creation-or-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-emond-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-hidden-child-process-of-launchd.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-macos-ms-office-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-managed-code-hosting-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-werfault-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-systemkey-access-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-unexpected-child-process-of-macos-screensaver-engine.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-virtual-private-network-connection-attempt.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-webproxy-settings-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rules-8-10-7-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rules-8-10-7-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-okta-user-session-started-via-proxy.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-newcredentials-logon-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-client-addresses-for-a-single-user-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-sessions-detected-for-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-users-with-the-same-device-token-hash.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-okta-authentication-behavior-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-okta-identity-provider-idp-added-by-admin.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-fastpass-phishing-detection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-sign-in-events-via-third-party-idp.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-user-sessions-started-from-different-geolocations.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-okta-mfa-bombing-via-push-notifications.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potentially-successful-mfa-bombing-via-push-notifications.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-access-of-stored-browser-credentials.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-access-of-stored-browser-credentials.asciidoc new file mode 100644 index 0000000000..8a2f8eabbc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-access-of-stored-browser-credentials.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-10-7-access-of-stored-browser-credentials]] +=== Access of Stored Browser Credentials + +Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", + "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", + "/Users/*/Library/Application Support/Google/Chrome/Profile*/Cookies", + "/Users/*/Library/Cookies*", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", + "Login Data", + "Cookies.binarycookies", + "key4.db", + "key3.db", + "logins.json", + "cookies.sqlite" + ) and + not (process.name : "wordexp-helper" and process.parent.name : ("elastic-agent", "elastic-endpoint")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-access-to-keychain-credentials-directories.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-access-to-keychain-credentials-directories.asciidoc new file mode 100644 index 0000000000..03b11e0958 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-access-to-keychain-credentials-directories.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-8-10-7-access-to-keychain-credentials-directories]] +=== Access to Keychain Credentials Directories + +Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x25.html +* https://securelist.com/calisto-trojan-for-macos/86543/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.args : + ( + "/Users/*/Library/Keychains/*", + "/Library/Keychains/*", + "/Network/Library/Keychains/*", + "System.keychain", + "login.keychain-db", + "login.keychain" + ) and + not process.args : ("find-certificate", + "add-trusted-cert", + "set-keychain-settings", + "delete-certificate", + "/Users/*/Library/Keychains/openvpn.keychain-db", + "show-keychain-info", + "lock-keychain", + "set-key-partition-list", + "import", + "find-identity") and + not process.parent.executable : + ( + "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect", + "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise", + "/opt/jc/bin/jumpcloud-agent" + ) and + not process.executable : "/opt/jc/bin/jumpcloud-agent" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-account-configured-with-never-expiring-password.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-account-configured-with-never-expiring-password.asciidoc new file mode 100644 index 0000000000..4dd6b64407 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-account-configured-with-never-expiring-password.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-10-7-account-configured-with-never-expiring-password]] +=== Account Configured with Never-Expiring Password + +Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. + +*Rule type*: query + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.cert.ssi.gouv.fr/uploads/guide-ad.html#dont_expire +* http://web.archive.org/web/20230329171952/https://blog.menasec.net/2019/02/threat-hunting-26-persistent-password.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Active Directory +* Resources: Investigation Guide +* Use Case: Active Directory Monitoring + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Account Configured with Never-Expiring Password + +Active Directory provides a setting that prevents users' passwords from expiring. Enabling this setting is bad practice and can expose environments to vulnerabilities that weaken security posture, especially when these accounts are privileged. + +The setting is usually configured so a user account can act as a service account. Attackers can abuse these accounts to persist in the domain and maintain long-term access using compromised accounts with a never-expiring password set. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Contact the account owner and confirm whether they are aware of this activity. +- Investigate other alerts associated with the user/source host during the past 48 hours. +- Inspect the account for suspicious or abnormal behaviors in the alert timeframe. + +### False positive analysis + +- This activity should not happen legitimately. The security team should address any potential benign true positive (B-TP), as this configuration can put the user and the domain at risk. +- Using user accounts as service accounts is a bad security practice and should not be allowed in the domain. The security team should map and monitor potential benign true positives (B-TPs), especially if the account is privileged. For cases in which user accounts cannot be avoided, Microsoft provides the Group Managed Service Accounts (gMSA) feature, which ensures that the account password is robust and changed regularly and automatically. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Review the privileges assigned to the user to ensure that the least privilege principle is being followed. +- Reset the password of the account and update its password settings. +- Search for other occurrences on the domain. + - Using the [Active Directory PowerShell module](https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser): + - `get-aduser -filter { passwordNeverExpires -eq $true -and enabled -eq $true } | ft` +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.action:"modified-user-account" and winlog.api:"wineventlog" and event.code:"4738" and + message:"'Don't Expire Password' - Enabled" and not user.id:"S-1-5-18" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Account Manipulation +** ID: T1098 +** Reference URL: https://attack.mitre.org/techniques/T1098/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-apple-script-execution-followed-by-network-connection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-apple-script-execution-followed-by-network-connection.asciidoc new file mode 100644 index 0000000000..17ba1f646a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-apple-script-execution-followed-by-network-connection.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-10-7-apple-script-execution-followed-by-network-connection]] +=== Apple Script Execution followed by Network Connection + +Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html +* https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Command and Control +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, process.entity_id with maxspan=30s + [process where host.os.type == "macos" and event.type == "start" and process.name == "osascript"] + [network where host.os.type == "macos" and event.type != "end" and process.name == "osascript" and destination.ip != "::1" and + not cidrmatch(destination.ip, + "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", + "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: AppleScript +** ID: T1059.002 +** Reference URL: https://attack.mitre.org/techniques/T1059/002/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-apple-scripting-execution-with-administrator-privileges.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-apple-scripting-execution-with-administrator-privileges.asciidoc new file mode 100644 index 0000000000..7caf23f8c1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-apple-scripting-execution-with-administrator-privileges.asciidoc @@ -0,0 +1,71 @@ +[[prebuilt-rule-8-10-7-apple-scripting-execution-with-administrator-privileges]] +=== Apple Scripting Execution with Administrator Privileges + +Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://discussions.apple.com/thread/2266150 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*with administrator privileges" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-disable-gatekeeper.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-disable-gatekeeper.asciidoc new file mode 100644 index 0000000000..5197304b13 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-disable-gatekeeper.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-7-attempt-to-disable-gatekeeper]] +=== Attempt to Disable Gatekeeper + +Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.apple.com/en-us/HT202491 +* https://community.carbonblack.com/t5/Threat-Advisories-Documents/TAU-TIN-Shlayer-OSX/ta-p/68397 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.args:(spctl and "--master-disable") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-enable-the-root-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-enable-the-root-account.asciidoc new file mode 100644 index 0000000000..eb1f23d519 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-enable-the-root-account.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-7-attempt-to-enable-the-root-account]] +=== Attempt to Enable the Root Account + +Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/dsenableroot.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:dsenableroot and not process.args:"-d" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-install-root-certificate.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-install-root-certificate.asciidoc new file mode 100644 index 0000000000..518f199d4a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-install-root-certificate.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-7-attempt-to-install-root-certificate]] +=== Attempt to Install Root Certificate + +Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/security-cert.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:security and process.args:"add-trusted-cert" and + not process.parent.executable:("/Library/Bitdefender/AVP/product/bin/BDCoreIssues" or "/Applications/Bitdefender/SecurityNetworkInstallerApp.app/Contents/MacOS/SecurityNetworkInstallerApp" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Subvert Trust Controls +** ID: T1553 +** Reference URL: https://attack.mitre.org/techniques/T1553/ +* Sub-technique: +** Name: Install Root Certificate +** ID: T1553.004 +** Reference URL: https://attack.mitre.org/techniques/T1553/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-mount-smb-share-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-mount-smb-share-via-command-line.asciidoc new file mode 100644 index 0000000000..5d89b3d330 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-mount-smb-share-via-command-line.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-10-7-attempt-to-mount-smb-share-via-command-line]] +=== Attempt to Mount SMB Share via Command Line + +Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.freebsd.org/cgi/man.cgi?mount_smbfs +* https://ss64.com/osx/mount.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + process.name : "mount_smbfs" or + (process.name : "open" and process.args : "smb://*") or + (process.name : "mount" and process.args : "smbfs") or + (process.name : "osascript" and process.command_line : "osascript*mount volume*smb://*") + ) and + not process.parent.executable : "/Applications/Google Drive.app/Contents/MacOS/Google Drive" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-remove-file-quarantine-attribute.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-remove-file-quarantine-attribute.asciidoc new file mode 100644 index 0000000000..c10e18ba5b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-remove-file-quarantine-attribute.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-10-7-attempt-to-remove-file-quarantine-attribute]] +=== Attempt to Remove File Quarantine Attribute + +Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html +* https://ss64.com/osx/xattr.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.name : "xattr" and + ( + (process.args : "com.apple.quarantine" and process.args : ("-d", "-w")) or + (process.args : "-c") or + (process.command_line : ("/bin/bash -c xattr -c *", "/bin/zsh -c xattr -c *", "/bin/sh -c xattr -c *")) + ) and not process.args_count > 12 + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc new file mode 100644 index 0000000000..62590176d9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-10-7-attempt-to-unload-elastic-endpoint-security-kernel-extension]] +=== Attempt to Unload Elastic Endpoint Security Kernel Extension + +Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:kextunload and process.args:("/System/Library/Extensions/EndpointSecurity.kext" or "EndpointSecurity.kext") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Kernel Modules and Extensions +** ID: T1547.006 +** Reference URL: https://attack.mitre.org/techniques/T1547/006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-authorization-plugin-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-authorization-plugin-modification.asciidoc new file mode 100644 index 0000000000..a9198f39bf --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-authorization-plugin-modification.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-7-authorization-plugin-modification]] +=== Authorization Plugin Modification + +Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/documentation/security/authorization_plug-ins +* https://www.xorrior.com/persistent-credential-theft/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:deletion and + file.path:(/Library/Security/SecurityAgentPlugins/* and + not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and + not process.name:shove and process.code_signature.trusted:true + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Sub-technique: +** Name: Authentication Package +** ID: T1547.002 +** Reference URL: https://attack.mitre.org/techniques/T1547/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-a-hidden-local-user-account.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-a-hidden-local-user-account.asciidoc new file mode 100644 index 0000000000..4eef8467fb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-a-hidden-local-user-account.asciidoc @@ -0,0 +1,109 @@ +[[prebuilt-rule-8-10-7-creation-of-a-hidden-local-user-account]] +=== Creation of a Hidden Local User Account + +Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329153858/https://blog.menasec.net/2019/02/threat-hunting-6-hiding-in-plain-sights_8.html +* https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/tree/master/2020/2020.12.15.Lazarus_Campaign + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Persistence +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 108 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Creation of a Hidden Local User Account + +Attackers can create accounts ending with a `$` symbol to make the account hidden to user enumeration utilities and bypass detections that identify computer accounts by this pattern to apply filters. + +This rule uses registry events to identify the creation of local hidden accounts. + +#### Possible investigation steps + +- Identify the user account that performed the action and whether it should perform this kind of action. +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Investigate other alerts associated with the user/host during the past 48 hours. + +### False positive analysis + +- This activity is unlikely to happen legitimately. Benign true positive (B-TPs) can be added as exceptions if necessary. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved hosts to prevent further post-compromise behavior. +- Delete the hidden account. +- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +registry where host.os.type == "windows" and registry.path : ( + "HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\", + "\\REGISTRY\\MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\Names\\*$\\" +) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create Account +** ID: T1136 +** Reference URL: https://attack.mitre.org/techniques/T1136/ +* Sub-technique: +** Name: Local Account +** ID: T1136.001 +** Reference URL: https://attack.mitre.org/techniques/T1136/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-hidden-launch-agent-or-daemon.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-hidden-launch-agent-or-daemon.asciidoc new file mode 100644 index 0000000000..53c762ff12 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-hidden-launch-agent-or-daemon.asciidoc @@ -0,0 +1,86 @@ +[[prebuilt-rule-8-10-7-creation-of-hidden-launch-agent-or-daemon]] +=== Creation of Hidden Launch Agent or Daemon + +Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.path : + ( + "/System/Library/LaunchAgents/.*.plist", + "/Library/LaunchAgents/.*.plist", + "/Users/*/Library/LaunchAgents/.*.plist", + "/System/Library/LaunchDaemons/.*.plist", + "/Library/LaunchDaemons/.*.plist" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-hidden-login-item-via-apple-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-hidden-login-item-via-apple-script.asciidoc new file mode 100644 index 0000000000..3bc1d0c7a6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-creation-of-hidden-login-item-via-apple-script.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-7-creation-of-hidden-login-item-via-apple-script]] +=== Creation of Hidden Login Item via Apple Script + +Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 107 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*login item*hidden:true*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: AppleScript +** ID: T1059.002 +** Reference URL: https://attack.mitre.org/techniques/T1059/002/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Plist File Modification +** ID: T1647 +** Reference URL: https://attack.mitre.org/techniques/T1647/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-dumping-account-hashes-via-built-in-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-dumping-account-hashes-via-built-in-commands.asciidoc new file mode 100644 index 0000000000..c800242ead --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-dumping-account-hashes-via-built-in-commands.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-7-dumping-account-hashes-via-built-in-commands]] +=== Dumping Account Hashes via Built-In Commands + +Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored +* https://www.unix.com/man-page/osx/8/mkpassdb/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or "-dump") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-dumping-of-keychain-content-via-security-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-dumping-of-keychain-content-via-security-command.asciidoc new file mode 100644 index 0000000000..30fd48035b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-dumping-of-keychain-content-via-security-command.asciidoc @@ -0,0 +1,65 @@ +[[prebuilt-rule-8-10-7-dumping-of-keychain-content-via-security-command]] +=== Dumping of Keychain Content via Security Command + +Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://ss64.com/osx/security.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-emond-rules-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-emond-rules-creation-or-modification.asciidoc new file mode 100644 index 0000000000..65e29dd548 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-emond-rules-creation-or-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-7-emond-rules-creation-or-modification]] +=== Emond Rules Creation or Modification + +Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.xorrior.com/emond-persistence/ +* https://www.sentinelone.com/blog/how-malware-persists-on-macos/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.path : ("/private/etc/emond.d/rules/*.plist", "/etc/emon.d/rules/*.plist", "/private/var/db/emondClients/*") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Emond +** ID: T1546.014 +** Reference URL: https://attack.mitre.org/techniques/T1546/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-enumeration-of-users-or-groups-via-built-in-commands.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-enumeration-of-users-or-groups-via-built-in-commands.asciidoc new file mode 100644 index 0000000000..6508802296 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-enumeration-of-users-or-groups-via-built-in-commands.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-10-7-enumeration-of-users-or-groups-via-built-in-commands]] +=== Enumeration of Users or Groups via Built-in Commands + +Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: None + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Discovery +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + process.name : ("ldapsearch", "dsmemberutil") or + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + ) and + not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", + "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence", + "/Applications/Sourcetree.app/Contents/MacOS/Sourcetree", + "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", + "/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect", + "/usr/local/jamf/bin/jamf", + "/Library/Application Support/AirWatch/hubd", + "/opt/jc/bin/jumpcloud-agent", + "/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon", + "/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon", + "/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Discovery +** ID: TA0007 +** Reference URL: https://attack.mitre.org/tactics/TA0007/ +* Technique: +** Name: Permission Groups Discovery +** ID: T1069 +** Reference URL: https://attack.mitre.org/techniques/T1069/ +* Sub-technique: +** Name: Local Groups +** ID: T1069.001 +** Reference URL: https://attack.mitre.org/techniques/T1069/001/ +* Technique: +** Name: Account Discovery +** ID: T1087 +** Reference URL: https://attack.mitre.org/techniques/T1087/ +* Sub-technique: +** Name: Local Account +** ID: T1087.001 +** Reference URL: https://attack.mitre.org/techniques/T1087/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-execution-via-electron-child-process-node-js-module.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-execution-via-electron-child-process-node-js-module.asciidoc new file mode 100644 index 0000000000..e46b585100 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-execution-via-electron-child-process-node-js-module.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-10-7-execution-via-electron-child-process-node-js-module]] +=== Execution via Electron Child Process Node.js Module + +Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.matthewslipper.com/2019/09/22/everything-you-wanted-electron-child-process.html +* https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks/ +* https://nodejs.org/api/child_process.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.args:("-e" and const*require*child_process*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-execution-with-explicit-credentials-via-scripting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-execution-with-explicit-credentials-via-scripting.asciidoc new file mode 100644 index 0000000000..e9c46f244b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-execution-with-explicit-credentials-via-scripting.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-7-execution-with-explicit-credentials-via-scripting]] +=== Execution with Explicit Credentials via Scripting + +Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf +* https://www.manpagez.com/man/8/security_authtrampoline/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:"security_authtrampoline" and + process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Sub-technique: +** Name: Elevated Execution with Prompt +** ID: T1548.004 +** Reference URL: https://attack.mitre.org/techniques/T1548/004/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-finder-sync-plugin-registered-and-enabled.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-finder-sync-plugin-registered-and-enabled.asciidoc new file mode 100644 index 0000000000..561df0732b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-finder-sync-plugin-registered-and-enabled.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-10-7-finder-sync-plugin-registered-and-enabled]] +=== Finder Sync Plugin Registered and Enabled + +Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "pluginkit" and + process.args : "-e" and process.args : "use" and process.args : "-i" and + not process.args : + ( + "com.google.GoogleDrive.FinderSyncAPIExtension", + "com.google.drivefs.findersync", + "com.boxcryptor.osx.Rednif", + "com.adobe.accmac.ACCFinderSync", + "com.microsoft.OneDrive.FinderSync", + "com.insynchq.Insync.Insync-Finder-Integration", + "com.box.desktop.findersyncext" + ) and + not process.parent.executable : ( + "/Library/Application Support/IDriveforMac/IDriveHelperTools/FinderPluginApp.app/Contents/MacOS/FinderPluginApp" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-first-occurrence-of-okta-user-session-started-via-proxy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-first-occurrence-of-okta-user-session-started-via-proxy.asciidoc new file mode 100644 index 0000000000..ef984ce280 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-first-occurrence-of-okta-user-session-started-via-proxy.asciidoc @@ -0,0 +1,97 @@ +[[prebuilt-rule-8-10-7-first-occurrence-of-okta-user-session-started-via-proxy]] +=== First Occurrence of Okta User Session Started via Proxy + +Identifies the first occurrence of an Okta user session started via a proxy. + +*Rule type*: new_terms + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://developer.okta.com/docs/reference/api/system-log/#issuer-object +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection + +*Tags*: + +* Tactic: Initial Access +* Use Case: Identity and Access Audit +* Data Source: Okta + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating First Occurrence of Okta User Session Started via Proxy + +This rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity. + +#### Possible investigation steps: +- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used. +- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy. +- Review the past activities of the actor involved in this action by checking their previous actions. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + +### False positive analysis: +- A user may have legitimately started a session via a proxy for security or privacy reasons. + +### Response and remediation: +- Review the profile of the user involved in this action to determine if proxy usage may be expected. +- If the user is legitimate and the authentication behavior is not suspicious, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the user. +- If the user is not legitimate, consider deactivating the user's account. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. + +## Setup +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: External Remote Services +** ID: T1133 +** Reference URL: https://attack.mitre.org/techniques/T1133/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-first-time-seen-newcredentials-logon-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-first-time-seen-newcredentials-logon-process.asciidoc new file mode 100644 index 0000000000..670ff95634 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-first-time-seen-newcredentials-logon-process.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-7-first-time-seen-newcredentials-logon-process]] +=== First Time Seen NewCredentials Logon Process + +Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions. + +*Rule type*: new_terms + +*Rule indices*: + +* winlogbeat-* +* logs-system.* +* logs-windows.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Privilege Escalation + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Access Token Manipulation +** ID: T1134 +** Reference URL: https://attack.mitre.org/techniques/T1134/ +* Sub-technique: +** Name: Token Impersonation/Theft +** ID: T1134.001 +** Reference URL: https://attack.mitre.org/techniques/T1134/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-kerberos-cached-credentials-dumping.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-kerberos-cached-credentials-dumping.asciidoc new file mode 100644 index 0000000000..cebf5f5250 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-kerberos-cached-credentials-dumping.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-10-7-kerberos-cached-credentials-dumping]] +=== Kerberos Cached Credentials Dumping + +Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py +* https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:kcc and + process.args:copy_cred_cache + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: OS Credential Dumping +** ID: T1003 +** Reference URL: https://attack.mitre.org/techniques/T1003/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-keychain-password-retrieval-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-keychain-password-retrieval-via-command-line.asciidoc new file mode 100644 index 0000000000..f9b3826691 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-keychain-password-retrieval-via-command-line.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-10-7-keychain-password-retrieval-via-command-line]] +=== Keychain Password Retrieval via Command Line + +Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.netmeister.org/blog/keychain-passwords.html +* https://github.com/priyankchheda/chrome_password_grabber/blob/master/chrome.py +* https://ss64.com/osx/security.html +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and + process.name : "security" and process.args : "-wa" and process.args : ("find-generic-password", "find-internet-password") and + process.args : ("Chrome*", "Chromium", "Opera", "Safari*", "Brave", "Microsoft Edge", "Edge", "Firefox*") and + not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Credentials from Web Browsers +** ID: T1555.003 +** Reference URL: https://attack.mitre.org/techniques/T1555/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-launch-agent-creation-or-modification-and-immediate-loading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-launch-agent-creation-or-modification-and-immediate-loading.asciidoc new file mode 100644 index 0000000000..92dc80c410 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-launch-agent-creation-or-modification-and-immediate-loading.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-7-launch-agent-creation-or-modification-and-immediate-loading]] +=== Launch Agent Creation or Modification and Immediate Loading + +An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [file where host.os.type == "macos" and event.type != "deletion" and + file.path : ("/System/Library/LaunchAgents/*", "/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*") + ] + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc new file mode 100644 index 0000000000..65539bd277 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-7-launchdaemon-creation-or-modification-and-immediate-loading]] +=== LaunchDaemon Creation or Modification and Immediate Loading + +Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=1m + [file where host.os.type == "macos" and event.type != "deletion" and file.path : ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")] + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-macos-installer-package-spawns-network-event.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-macos-installer-package-spawns-network-event.asciidoc new file mode 100644 index 0000000000..e3d54fecd5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-macos-installer-package-spawns-network-event.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-10-7-macos-installer-package-spawns-network-event]] +=== MacOS Installer Package Spawns Network Event + +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://redcanary.com/blog/clipping-silver-sparrows-wings +* https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520 +* https://github.com/D00MFist/Mystikal + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Command and Control +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id, user.id with maxspan=30s +[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] +[network where host.os.type == "macos" and event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ +* Sub-technique: +** Name: JavaScript +** ID: T1059.007 +** Reference URL: https://attack.mitre.org/techniques/T1059/007/ +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Application Layer Protocol +** ID: T1071 +** Reference URL: https://attack.mitre.org/techniques/T1071/ +* Sub-technique: +** Name: Web Protocols +** ID: T1071.001 +** Reference URL: https://attack.mitre.org/techniques/T1071/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-modification-of-environment-variable-via-launchctl.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-modification-of-environment-variable-via-launchctl.asciidoc new file mode 100644 index 0000000000..4c8e15ef29 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-modification-of-environment-variable-via-launchctl.asciidoc @@ -0,0 +1,78 @@ +[[prebuilt-rule-8-10-7-modification-of-environment-variable-via-launchctl]] +=== Modification of Environment Variable via Launchctl + +Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name:launchctl and + process.args:(setenv and not (ANT_HOME or + DBUS_LAUNCHD_SESSION_BUS_SOCKET or + EDEN_ENV or + LG_WEBOS_TV_SDK_HOME or + RUNTIME_JAVA_HOME or + WEBOS_CLI_TV or + JAVA*_HOME) and + not *.vmoptions) and + not process.parent.executable:("/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper" or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or + /usr/local/bin/kr) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hijack Execution Flow +** ID: T1574 +** Reference URL: https://attack.mitre.org/techniques/T1574/ +* Sub-technique: +** Name: Path Interception by PATH Environment Variable +** ID: T1574.007 +** Reference URL: https://attack.mitre.org/techniques/T1574/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-modification-of-safari-settings-via-defaults-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-modification-of-safari-settings-via-defaults-command.asciidoc new file mode 100644 index 0000000000..9143f5a738 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-modification-of-safari-settings-via-defaults-command.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-10-7-modification-of-safari-settings-via-defaults-command]] +=== Modification of Safari Settings via Defaults Command + +Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name:defaults and process.args: + (com.apple.Safari and write and not + ( + UniversalSearchEnabled or + SuppressSearchSuggestions or + WebKitTabToLinksPreferenceKey or + ShowFullURLInSmartSearchField or + com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-client-addresses-for-a-single-user-session.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-client-addresses-for-a-single-user-session.asciidoc new file mode 100644 index 0000000000..65386dac1f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-client-addresses-for-a-single-user-session.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-7-multiple-okta-client-addresses-for-a-single-user-session]] +=== Multiple Okta Client Addresses for a Single User Session + +Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 60m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection + +*Tags*: + +* Use Case: Identity and Access Audit +* Data Source: Okta +* Tactic: Initial Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system + and okta.authentication_context.external_session_id:* and okta.debug_context.debug_data.dt_hash:* + and not (okta.actor.id: okta* or okta.actor.display_name: okta*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-sessions-detected-for-a-single-user.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-sessions-detected-for-a-single-user.asciidoc new file mode 100644 index 0000000000..56bf507c3b --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-sessions-detected-for-a-single-user.asciidoc @@ -0,0 +1,76 @@ +[[prebuilt-rule-8-10-7-multiple-okta-sessions-detected-for-a-single-user]] +=== Multiple Okta Sessions Detected for a Single User + +Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 60m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection + +*Tags*: + +* Use Case: Identity and Access Audit +* Data Source: Okta +* Tactic: Lateral Movement + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:* + and not (okta.actor.id: okta* or okta.actor.display_name: okta*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Web Session Cookie +** ID: T1550.004 +** Reference URL: https://attack.mitre.org/techniques/T1550/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-users-with-the-same-device-token-hash.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-users-with-the-same-device-token-hash.asciidoc new file mode 100644 index 0000000000..9f54d14aba --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-multiple-okta-users-with-the-same-device-token-hash.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-10-7-multiple-okta-users-with-the-same-device-token-hash]] +=== Multiple Okta Users with the Same Device Token Hash + +Detects when Okta user or system events are reported for multiple users with the same device token hash. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection + +*Tags*: + +* Use Case: Identity and Access Audit +* Data Source: Okta +* Tactic: Initial Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Setup +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:* and okta.event_type:(system* or user*) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-new-okta-authentication-behavior-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-new-okta-authentication-behavior-detected.asciidoc new file mode 100644 index 0000000000..fd2d1b6662 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-new-okta-authentication-behavior-detected.asciidoc @@ -0,0 +1,92 @@ +[[prebuilt-rule-8-10-7-new-okta-authentication-behavior-detected]] +=== New Okta Authentication Behavior Detected + +Detects events where Okta behavior detection has identified a new authentication behavior. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://unit42.paloaltonetworks.com/muddled-libra/ +* https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm + +*Tags*: + +* Use Case: Identity and Access Audit +* Tactic: Initial Access +* Data Source: Okta + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating New Okta Authentication Behavior Detected + +This rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location. + +#### Possible investigation steps: +- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields. +- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields. +- Review the past activities of the actor involved in this action by checking their previous actions. +- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + +### False positive analysis: +- A user may be using a new device or location to sign in. +- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted. + +### Response and remediation: +- If the user is legitimate and the authentication behavior is not suspicious, no action is required. +- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA). + - If MFA is already enabled, consider resetting MFA for the user. +- If the user is not legitimate, consider deactivating the user's account. +- If this is a false positive, consider adjusting the Okta behavior detection settings. +- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-new-okta-identity-provider-idp-added-by-admin.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-new-okta-identity-provider-idp-added-by-admin.asciidoc new file mode 100644 index 0000000000..bd2c082ee7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-new-okta-identity-provider-idp-added-by-admin.asciidoc @@ -0,0 +1,102 @@ +[[prebuilt-rule-8-10-7-new-okta-identity-provider-idp-added-by-admin]] +=== New Okta Identity Provider (IdP) Added by Admin + +Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://unit42.paloaltonetworks.com/muddled-libra/ + +*Tags*: + +* Use Case: Identity and Access Audit +* Tactic: Persistence +* Data Source: Okta + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating New Okta Identity Provider (IdP) Added by Admin + +This rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta. + +#### Possible investigation steps: +- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields. +- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized. +- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields. +- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field. +- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + +### False positive analysis: +- It might be a false positive if the action was part of a planned activity or performed by an authorized person. +- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times. + +### Response and remediation: +- If the IdP is unauthorized, deactivate it immediately via the Okta console. +- If the IdP is authorized, ensure that the actor who created it is authorized to do so. +- If the actor is unauthorized, deactivate their account via the Okta console. +- If the actor is authorized, ensure that the actor's account is not compromised. +- Reset the user's password and enforce MFA re-enrollment, if applicable. +- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Modify Authentication Process +** ID: T1556 +** Reference URL: https://attack.mitre.org/techniques/T1556/ +* Sub-technique: +** Name: Hybrid Identity +** ID: T1556.007 +** Reference URL: https://attack.mitre.org/techniques/T1556/007/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-fastpass-phishing-detection.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-fastpass-phishing-detection.asciidoc new file mode 100644 index 0000000000..60bd1cd753 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-fastpass-phishing-detection.asciidoc @@ -0,0 +1,72 @@ +[[prebuilt-rule-8-10-7-okta-fastpass-phishing-detection]] +=== Okta FastPass Phishing Detection + +Detects when Okta FastPass prevents a user from authenticating to a phishing website. + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://sec.okta.com/fastpassphishingdetection +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection + +*Tags*: + +* Tactic: Initial Access +* Use Case: Identity and Access Audit +* Data Source: Okta + +*Version*: 2 + +*Rule authors*: + +* Austin Songer + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and event.category:authentication and + okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-sign-in-events-via-third-party-idp.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-sign-in-events-via-third-party-idp.asciidoc new file mode 100644 index 0000000000..b50750abbc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-sign-in-events-via-third-party-idp.asciidoc @@ -0,0 +1,116 @@ +[[prebuilt-rule-8-10-7-okta-sign-in-events-via-third-party-idp]] +=== Okta Sign-In Events via Third-Party IdP + +Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP). + +*Rule type*: query + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://unit42.paloaltonetworks.com/muddled-libra/ + +*Tags*: + +* Use Case: Identity and Access Audit +* Tactic: Initial Access +* Data Source: Okta + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Okta Sign-In Events via Third-Party IdP + +This rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP). + +Adversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt. + +#### Possible investigation steps: +- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field. +- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant. +- If the IdP is unauthorized, deactivate it immediately via the Okta console. +- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data. + - The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event. +- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields. +- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields. +- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field. +- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action. +- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity. + +### False positive analysis: +- It might be a false positive if this IdP is authorized to be used by the tenant. +- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration. + +### Response and remediation: +- If the IdP is unauthorized, deactivate it immediately via the Okta console. +- Reset the effected user's password and enforce MFA re-enrollment, if applicable. +- Mobile device forensics may be required to determine if the user's device is compromised. +- If the IdP is authorized, ensure that the actor who created it is authorized to do so. +- If the actor is unauthorized, deactivate their account via the Okta console. +- If the actor is authorized, ensure that the actor's account is not compromised. + +- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields. +- Conduct a review of Okta policies and ensure they are in accordance with security best practices. +- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and + (not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP + or user.authentication.auth_via_inbound_SAML + or user.authentication.auth_via_mfa + or user.authentication.auth_via_social) + or event.action:user.session.start) or + (event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE + and okta.outcome.reason:("A SAML assert with the same ID has already been processed by Okta for a previous request" + or "Unable to match transformed username" + or "Unable to resolve IdP endpoint" + or "Unable to validate SAML Response" + or "Unable to validate incoming SAML Assertion")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Trusted Relationship +** ID: T1199 +** Reference URL: https://attack.mitre.org/techniques/T1199/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-user-sessions-started-from-different-geolocations.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-user-sessions-started-from-different-geolocations.asciidoc new file mode 100644 index 0000000000..49faa76dff --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-okta-user-sessions-started-from-different-geolocations.asciidoc @@ -0,0 +1,77 @@ +[[prebuilt-rule-8-10-7-okta-user-sessions-started-from-different-geolocations]] +=== Okta User Sessions Started from Different Geolocations + +Detects when a specific Okta actor has multiple sessions started from different geolocations. + +*Rule type*: threshold + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 15m + +*Searches indices from*: now-30m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.okta.com/docs/reference/api/system-log/ +* https://developer.okta.com/docs/reference/api/event-types/ +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/ + +*Tags*: + +* Use Case: Identity and Access Audit +* Data Source: Okta +* Tactic: Initial Access + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.dataset:okta.system and okta.event_type:user.session.start and not okta.security_context.is_proxy:true + and okta.actor.id:* and client.geo.country_name:* + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Cloud Accounts +** ID: T1078.004 +** Reference URL: https://attack.mitre.org/techniques/T1078/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-directoryservice-plugin-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-directoryservice-plugin-modification.asciidoc new file mode 100644 index 0000000000..2353c57df5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-directoryservice-plugin-modification.asciidoc @@ -0,0 +1,62 @@ +[[prebuilt-rule-8-10-7-persistence-via-directoryservice-plugin-modification]] +=== Persistence via DirectoryService Plugin Modification + +Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:deletion and + file.path:/Library/DirectoryServices/PlugIns/*.dsplug + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-docker-shortcut-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-docker-shortcut-modification.asciidoc new file mode 100644 index 0000000000..105fffc981 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-docker-shortcut-modification.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-7-persistence-via-docker-shortcut-modification]] +=== Persistence via Docker Shortcut Modification + +An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/specterops/presentations/raw/master/Leo%20Pitt/Hey_Im_Still_in_Here_Modern_macOS_Persistence_SO-CON2020.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and event.action:modification and + file.path:/Users/*/Library/Preferences/com.apple.dock.plist and + not process.name:(xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-folder-action-script.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-folder-action-script.asciidoc new file mode 100644 index 0000000000..cec8dcfcd6 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-folder-action-script.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-10-7-persistence-via-folder-action-script]] +=== Persistence via Folder Action Script + +Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and + not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt" + ] by process.parent.pid + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-login-or-logout-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-login-or-logout-hook.asciidoc new file mode 100644 index 0000000000..2f50a78ef0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-persistence-via-login-or-logout-hook.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-7-persistence-via-login-or-logout-hook]] +=== Persistence via Login or Logout Hook + +Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf +* https://www.manpagez.com/man/1/defaults/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and + process.name == "defaults" and process.args == "write" and process.args : ("LoginHook", "LogoutHook") and + not process.args : + ( + "Support/JAMF/ManagementFrameworkScripts/logouthook.sh", + "Support/JAMF/ManagementFrameworkScripts/loginhook.sh", + "/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh", + "/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-admin-group-account-addition.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-admin-group-account-addition.asciidoc new file mode 100644 index 0000000000..f64005d3af --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-admin-group-account-addition.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-7-potential-admin-group-account-addition]] +=== Potential Admin Group Account Addition + +Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:(dscl or dseditgroup) and process.args:(("/Groups/admin" or admin) and ("-a" or "-append")) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-hidden-local-user-account-creation.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-hidden-local-user-account-creation.asciidoc new file mode 100644 index 0000000000..15b2255b88 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-hidden-local-user-account-creation.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-7-potential-hidden-local-user-account-creation]] +=== Potential Hidden Local User Account Creation + +Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://support.apple.com/en-us/HT203998 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:dscl and process.args:(IsHidden and create and (true or 1 or yes)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Valid Accounts +** ID: T1078 +** Reference URL: https://attack.mitre.org/techniques/T1078/ +* Sub-technique: +** Name: Local Accounts +** ID: T1078.003 +** Reference URL: https://attack.mitre.org/techniques/T1078/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-kerberos-attack-via-bifrost.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-kerberos-attack-via-bifrost.asciidoc new file mode 100644 index 0000000000..3a60efc32a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-kerberos-attack-via-bifrost.asciidoc @@ -0,0 +1,79 @@ +[[prebuilt-rule-8-10-7-potential-kerberos-attack-via-bifrost]] +=== Potential Kerberos Attack via Bifrost + +Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/its-a-feature/bifrost + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab)))) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Use Alternate Authentication Material +** ID: T1550 +** Reference URL: https://attack.mitre.org/techniques/T1550/ +* Sub-technique: +** Name: Pass the Ticket +** ID: T1550.003 +** Reference URL: https://attack.mitre.org/techniques/T1550/003/ +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal or Forge Kerberos Tickets +** ID: T1558 +** Reference URL: https://attack.mitre.org/techniques/T1558/ +* Sub-technique: +** Name: Kerberoasting +** ID: T1558.003 +** Reference URL: https://attack.mitre.org/techniques/T1558/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-macos-ssh-brute-force-detected.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-macos-ssh-brute-force-detected.asciidoc new file mode 100644 index 0000000000..e93f83694f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-macos-ssh-brute-force-detected.asciidoc @@ -0,0 +1,61 @@ +[[prebuilt-rule-8-10-7-potential-macos-ssh-brute-force-detected]] +=== Potential macOS SSH Brute Force Detected + +Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. + +*Rule type*: threshold + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Brute Force +** ID: T1110 +** Reference URL: https://attack.mitre.org/techniques/T1110/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-microsoft-office-sandbox-evasion.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-microsoft-office-sandbox-evasion.asciidoc new file mode 100644 index 0000000000..24a1738a36 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-microsoft-office-sandbox-evasion.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-7-potential-microsoft-office-sandbox-evasion]] +=== Potential Microsoft Office Sandbox Evasion + +Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://i.blackhat.com/USA-20/Wednesday/us-20-Wardle-Office-Drama-On-macOS.pdf +* https://www.mdsec.co.uk/2018/08/escaping-the-sandbox-microsoft-office-on-macos/ +* https://desi-jarvis.medium.com/office365-macos-sandbox-escape-fcce4fa4123c + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:(macos and macos) and not event.type:deletion and file.name:~$*.zip + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Virtualization/Sandbox Evasion +** ID: T1497 +** Reference URL: https://attack.mitre.org/techniques/T1497/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-okta-mfa-bombing-via-push-notifications.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-okta-mfa-bombing-via-push-notifications.asciidoc new file mode 100644 index 0000000000..5f469e56ab --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-okta-mfa-bombing-via-push-notifications.asciidoc @@ -0,0 +1,112 @@ +[[prebuilt-rule-8-10-7-potential-okta-mfa-bombing-via-push-notifications]] +=== Potential Okta MFA Bombing via Push Notifications + +Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mandiant.com/resources/russian-targeting-gov-business +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/ + +*Tags*: + +* Use Case: Identity and Access Audit +* Tactic: Credential Access +* Data Source: Okta + +*Version*: 1 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Okta MFA Bombing via Push Notifications + +Multi-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access. + +This rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy. + +#### Possible investigation steps: + +- Identify the user who received the MFA notifications by reviewing the `user.email` field. +- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login. +- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action. +- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account. +- Check if the MFA requests and the successful login occurred during the user's regular activity hours. +- Look for any other suspicious activity on the account around the same time. +- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack. + +### False positive analysis: + +- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them. +- Check if there are known issues with the MFA system causing false denials. + +### Response and remediation: + +- If unauthorized access is confirmed, initiate your incident response process. +- Alert the user and your IT department immediately. +- If possible, isolate the user's account until the issue is resolved. +- Investigate the source of the unauthorized access. +- If the account was accessed by an unauthorized party, determine the actions they took after logging in. +- Consider enhancing your MFA policy to prevent such incidents in the future. +- Encourage users to report any unexpected MFA notifications immediately. +- Review and update your incident response plans and security policies based on the findings from the incident. + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by okta.actor.id with maxspan=10m + [authentication where event.dataset == "okta.system" + and okta.event_type == "user.mfa.okta_verify.deny_push"] with runs=5 + until [authentication where event.dataset == "okta.system" + and (okta.event_type: ( + "user.authentication.sso", + "user.authentication.auth_via_mfa", + "user.authentication.verify", + "user.session.start") and okta.outcome.result == "SUCCESS")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Multi-Factor Authentication Request Generation +** ID: T1621 +** Reference URL: https://attack.mitre.org/techniques/T1621/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-atom-init-script-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-atom-init-script-modification.asciidoc new file mode 100644 index 0000000000..4dea95f095 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-atom-init-script-modification.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-7-potential-persistence-via-atom-init-script-modification]] +=== Potential Persistence via Atom Init Script Modification + +Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js +* https://flight-manual.atom.io/hacking-atom/sections/the-init-file/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:"deletion" and + file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Initialization Scripts +** ID: T1037 +** Reference URL: https://attack.mitre.org/techniques/T1037/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-login-hook.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-login-hook.asciidoc new file mode 100644 index 0000000000..ff16deeaeb --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-login-hook.asciidoc @@ -0,0 +1,82 @@ +[[prebuilt-rule-8-10-7-potential-persistence-via-login-hook]] +=== Potential Persistence via Login Hook + +Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:"deletion" and + file.name:"com.apple.loginwindow.plist" and + process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor" +)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Boot or Logon Autostart Execution +** ID: T1547 +** Reference URL: https://attack.mitre.org/techniques/T1547/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Plist File Modification +** ID: T1647 +** Reference URL: https://attack.mitre.org/techniques/T1647/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-periodic-tasks.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-periodic-tasks.asciidoc new file mode 100644 index 0000000000..b386e40652 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-persistence-via-periodic-tasks.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-7-potential-persistence-via-periodic-tasks]] +=== Potential Persistence via Periodic Tasks + +Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html +* https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html +* https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:"deletion" and + file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc new file mode 100644 index 0000000000..a0549a5583 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-localhost-secure-copy]] +=== Potential Privacy Control Bypass via Localhost Secure Copy + +Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.name:"scp" and + process.args:"StrictHostKeyChecking=no" and + process.command_line:("scp *localhost:/*", "scp *127.0.0.1:/*") and + not process.args:"vagrant@*127.0.0.1*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Abuse Elevation Control Mechanism +** ID: T1548 +** Reference URL: https://attack.mitre.org/techniques/T1548/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-tccdb-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-tccdb-modification.asciidoc new file mode 100644 index 0000000000..ba1bcee889 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-tccdb-modification.asciidoc @@ -0,0 +1,69 @@ +[[prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-tccdb-modification]] +=== Potential Privacy Control Bypass via TCCDB Modification + +Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/ +* https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh +* https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and + process.args : "/*/Application Support/com.apple.TCC/TCC.db" and + not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potentially-successful-mfa-bombing-via-push-notifications.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potentially-successful-mfa-bombing-via-push-notifications.asciidoc new file mode 100644 index 0000000000..6d67fe91a2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-potentially-successful-mfa-bombing-via-push-notifications.asciidoc @@ -0,0 +1,111 @@ +[[prebuilt-rule-8-10-7-potentially-successful-mfa-bombing-via-push-notifications]] +=== Potentially Successful MFA Bombing via Push Notifications + +Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. + +*Rule type*: eql + +*Rule indices*: + +* filebeat-* +* logs-okta* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: None ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.mandiant.com/resources/russian-targeting-gov-business +* https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy +* https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection +* https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/ + +*Tags*: + +* Use Case: Identity and Access Audit +* Tactic: Credential Access +* Data Source: Okta + +*Version*: 208 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Potential Abuse of Repeated MFA Push Notifications + +Multi-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access. + +This rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy. + +#### Possible investigation steps: + +- Identify the user who received the MFA notifications by reviewing the `user.email` field. +- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login. +- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action. +- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account. +- Check if the MFA requests and the successful login occurred during the user's regular activity hours. +- Look for any other suspicious activity on the account around the same time. +- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack. + +### False positive analysis: + +- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them. +- Check if there are known issues with the MFA system causing false denials. + +### Response and remediation: + +- If unauthorized access is confirmed, initiate your incident response process. +- Alert the user and your IT department immediately. +- If possible, isolate the user's account until the issue is resolved. +- Investigate the source of the unauthorized access. +- If the account was accessed by an unauthorized party, determine the actions they took after logging in. +- Consider enhancing your MFA policy to prevent such incidents in the future. +- Encourage users to report any unexpected MFA notifications immediately. +- Review and update your incident response plans and security policies based on the findings from the incident. +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence by okta.actor.id with maxspan=10m + [authentication where event.dataset == "okta.system" and event.module == "okta" + and event.action == "user.mfa.okta_verify.deny_push"] with runs=3 + [authentication where event.dataset == "okta.system" and event.module == "okta" + and (event.action : ( + "user.authentication.sso", + "user.authentication.auth_via_mfa", + "user.authentication.verify", + "user.session.start") and okta.outcome.result == "SUCCESS")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Multi-Factor Authentication Request Generation +** ID: T1621 +** Reference URL: https://attack.mitre.org/techniques/T1621/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-privilege-escalation-via-root-crontab-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-privilege-escalation-via-root-crontab-file-modification.asciidoc new file mode 100644 index 0000000000..ea524ec98a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-privilege-escalation-via-root-crontab-file-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-7-privilege-escalation-via-root-crontab-file-modification]] +=== Privilege Escalation via Root Crontab File Modification + +Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc +* https://www.exploit-db.com/exploits/42146 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and not event.type:deletion and + file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-prompt-for-credentials-with-osascript.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-prompt-for-credentials-with-osascript.asciidoc new file mode 100644 index 0000000000..24d6f165c7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-prompt-for-credentials-with-osascript.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-7-prompt-for-credentials-with-osascript]] +=== Prompt for Credentials with OSASCRIPT + +Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py +* https://ss64.com/osx/osascript.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*display dialog*password*" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Input Capture +** ID: T1056 +** Reference URL: https://attack.mitre.org/techniques/T1056/ +* Sub-technique: +** Name: GUI Input Capture +** ID: T1056.002 +** Reference URL: https://attack.mitre.org/techniques/T1056/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-execution-via-file-shares.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-execution-via-file-shares.asciidoc new file mode 100644 index 0000000000..52296d9b6a --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-execution-via-file-shares.asciidoc @@ -0,0 +1,125 @@ +[[prebuilt-rule-8-10-7-remote-execution-via-file-shares]] +=== Remote Execution via File Shares + +Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329172636/https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-movement.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote Execution via File Shares + +Adversaries can use network shares to host tooling to support the compromise of other hosts in the environment. These tools can include discovery utilities, credential dumpers, malware, etc. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Review adjacent login events (e.g., 4624) in the alert timeframe to identify the account used to perform this action. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the process executable using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This activity can happen legitimately. Consider adding exceptions if it is expected and noisy in your environment. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Review the privileges needed to write to the network share and restrict write access as needed. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +sequence with maxspan=1m + [file where host.os.type == "windows" and event.type in ("creation", "change") and + process.pid == 4 and (file.extension : "exe" or file.Ext.header_bytes : "4d5a*")] by host.id, file.path + [process where host.os.type == "windows" and event.type == "start"] by host.id, process.executable + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SMB/Windows Admin Shares +** ID: T1021.002 +** Reference URL: https://attack.mitre.org/techniques/T1021/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-file-copy-via-teamviewer.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-file-copy-via-teamviewer.asciidoc new file mode 100644 index 0000000000..9804e8ca36 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-file-copy-via-teamviewer.asciidoc @@ -0,0 +1,138 @@ +[[prebuilt-rule-8-10-7-remote-file-copy-via-teamviewer]] +=== Remote File Copy via TeamViewer + +Identifies an executable or script file remotely downloaded via a TeamViewer transfer session. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Command and Control +* Resources: Investigation Guide +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 109 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +### Investigating Remote File Copy via TeamViewer + +Attackers commonly transfer tooling or malware from external systems into a compromised environment using the command and control channel. However, they can also abuse legitimate utilities to drop these files. + +TeamViewer is a remote access and remote control tool used by helpdesks and system administrators to perform various support activities. It is also frequently used by attackers and scammers to deploy malware interactively and other malicious activities. This rule looks for the TeamViewer process creating files with suspicious extensions. + +> **Note**: +> This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. + +#### Possible investigation steps + +- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. +- Contact the user to gather information about who and why was conducting the remote access. +- Investigate other alerts associated with the user/host during the past 48 hours. +- Check whether the company uses TeamViewer for the support activities and if there is a support ticket related to this access. +- Examine the host for derived artifacts that indicate suspicious activities: + - Analyze the file using a private sandboxed analysis system. + - Observe and collect information about the following activities in both the sandbox and the alert subject host: + - Attempts to contact external domains and addresses. + - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' `process.entity_id`. + - Examine the DNS cache for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve DNS Cache","query":"SELECT * FROM dns_cache"}} + - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree. + - Examine the host services for suspicious or anomalous entries. + - !{osquery{"label":"Osquery - Retrieve All Services","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services"}} + - !{osquery{"label":"Osquery - Retrieve Services Running on User Accounts","query":"SELECT description, display_name, name, path, pid, service_type, start_type, status, user_account FROM services WHERE\nNOT (user_account LIKE '%LocalSystem' OR user_account LIKE '%LocalService' OR user_account LIKE '%NetworkService' OR\nuser_account == null)\n"}} + - !{osquery{"label":"Osquery - Retrieve Service Unsigned Executables with Virustotal Link","query":"SELECT concat('https://www.virustotal.com/gui/file/', sha1) AS VtLink, name, description, start_type, status, pid,\nservices.path FROM services JOIN authenticode ON services.path = authenticode.path OR services.module_path =\nauthenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'\n"}} + - Retrieve the files' SHA-256 hash values using the PowerShell `Get-FileHash` cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. +- Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification. + +### False positive analysis + +- This mechanism can be used legitimately. Analysts can dismiss the alert if the company relies on TeamViewer to conduct remote access and the triage has not identified suspicious or malicious files. + +### Response and remediation + +- Initiate the incident response process based on the outcome of the triage. +- Isolate the involved host to prevent further post-compromise behavior. +- If the triage identified malware, search the environment for additional compromised hosts. + - Implement temporary network rules, procedures, and segmentation to contain the malware. + - Stop suspicious processes. + - Immediately block the identified indicators of compromise (IoCs). + - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system. +- Remove and block malicious artifacts identified during triage. +- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components. +- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services. +- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). + + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "windows" and event.type == "creation" and process.name : "TeamViewer.exe" and + file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta") and + not + ( + file.path : ( + "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\INetCache\\*.js", + "?:\\Users\\*\\AppData\\Local\\Temp\\TeamViewer\\update.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\?\\TeamViewer\\update.exe" + ) and process.code_signature.trusted == true + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Command and Control +** ID: TA0011 +** Reference URL: https://attack.mitre.org/tactics/TA0011/ +* Technique: +** Name: Ingress Tool Transfer +** ID: T1105 +** Reference URL: https://attack.mitre.org/techniques/T1105/ +* Technique: +** Name: Remote Access Software +** ID: T1219 +** Reference URL: https://attack.mitre.org/techniques/T1219/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-ssh-login-enabled-via-systemsetup-command.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-ssh-login-enabled-via-systemsetup-command.asciidoc new file mode 100644 index 0000000000..87773a4344 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-remote-ssh-login-enabled-via-systemsetup-command.asciidoc @@ -0,0 +1,70 @@ +[[prebuilt-rule-8-10-7-remote-ssh-login-enabled-via-systemsetup-command]] +=== Remote SSH Login Enabled via systemsetup Command + +Detects use of the systemsetup command to enable remote SSH Login. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf +* https://ss64.com/osx/systemsetup.html +* https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:systemsetup and + process.args:("-setremotelogin" and on) and + not process.parent.executable : /usr/local/jamf/bin/jamf + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ +* Sub-technique: +** Name: SSH +** ID: T1021.004 +** Reference URL: https://attack.mitre.org/techniques/T1021/004/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-screensaver-plist-file-modified-by-unexpected-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-screensaver-plist-file-modified-by-unexpected-process.asciidoc new file mode 100644 index 0000000000..e4d02d540f --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-screensaver-plist-file-modified-by-unexpected-process.asciidoc @@ -0,0 +1,105 @@ +[[prebuilt-rule-8-10-7-screensaver-plist-file-modified-by-unexpected-process]] +=== Screensaver Plist File Modified by Unexpected Process + +Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/saving-your-access-d562bf5bf90b +* https://github.com/D00MFist/PersistentJXA + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the plist file modification event to identify whether the change was expected or not +- Investigate the process that modified the plist file for malicious code or other suspicious behavior +- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and + file.name: "com.apple.screensaver.*.plist" and + file.path : ( + "/Users/*/Library/Preferences/ByHost/*", + "/Library/Managed Preferences/*", + "/System/Library/Preferences/*" + ) and + ( + process.code_signature.trusted == false or + process.code_signature.exists == false or + + /* common script interpreters and abused native macOS bins */ + process.name : ( + "curl", + "mktemp", + "tail", + "funzip", + "python*", + "osascript", + "perl" + ) + ) and + + /* Filter OS processes modifying screensaver plist files */ + not process.executable : ( + "/usr/sbin/cfprefsd", + "/usr/libexec/xpcproxy", + "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor", + "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-shell-execution-via-apple-scripting.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-shell-execution-via-apple-scripting.asciidoc new file mode 100644 index 0000000000..983df01bbc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-shell-execution-via-apple-scripting.asciidoc @@ -0,0 +1,64 @@ +[[prebuilt-rule-8-10-7-shell-execution-via-apple-scripting]] +=== Shell Execution via Apple Scripting + +Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://developer.apple.com/library/archive/technotes/tn2065/_index.html +* https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=5s + [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "osascript"] by process.pid + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "sh" and process.args == "-c"] by process.parent.pid + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-softwareupdate-preferences-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-softwareupdate-preferences-modification.asciidoc new file mode 100644 index 0000000000..e82a954747 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-softwareupdate-preferences-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-7-softwareupdate-preferences-modification]] +=== SoftwareUpdate Preferences Modification + +Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:defaults and + process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true)) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Impair Defenses +** ID: T1562 +** Reference URL: https://attack.mitre.org/techniques/T1562/ +* Sub-technique: +** Name: Disable or Modify Tools +** ID: T1562.001 +** Reference URL: https://attack.mitre.org/techniques/T1562/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-sublime-plugin-or-application-script-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-sublime-plugin-or-application-script-modification.asciidoc new file mode 100644 index 0000000000..290bd11954 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-sublime-plugin-or-application-script-modification.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-10-7-sublime-plugin-or-application-script-modification]] +=== Sublime Plugin or Application Script Modification + +Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and + file.path : + ( + "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", + "/Applications/Sublime Text.app/Contents/MacOS/sublime.py" + ) and + not process.executable : + ( + "/Applications/Sublime Text*.app/Contents/*", + "/usr/local/Cellar/git/*/bin/git", + "/Library/Developer/CommandLineTools/usr/bin/git", + "/usr/libexec/xpcproxy", + "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Compromise Client Software Binary +** ID: T1554 +** Reference URL: https://attack.mitre.org/techniques/T1554/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-automator-workflows-execution.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-automator-workflows-execution.asciidoc new file mode 100644 index 0000000000..2987d6a0e1 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-automator-workflows-execution.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-7-suspicious-automator-workflows-execution]] +=== Suspicious Automator Workflows Execution + +Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5 + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by host.id with maxspan=30s + [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "automator"] + [network where host.os.type == "macos" and process.name:"com.apple.automator.runner"] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Command and Scripting Interpreter +** ID: T1059 +** Reference URL: https://attack.mitre.org/techniques/T1059/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-browser-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-browser-child-process.asciidoc new file mode 100644 index 0000000000..a81ef34496 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-browser-child-process.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-10-7-suspicious-browser-child-process]] +=== Suspicious Browser Child Process + +Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x43.html +* https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Tactic: Execution +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.parent.name : ("Google Chrome", "Google Chrome Helper*", "firefox", "Opera", "Safari", "com.apple.WebKit.WebContent", "Microsoft Edge") and + process.name : ("sh", "bash", "dash", "ksh", "tcsh", "zsh", "curl", "wget", "python*", "perl*", "php*", "osascript", "pwsh") and + process.command_line != null and + not process.command_line : "*/Library/Application Support/Microsoft/MAU*/Microsoft AutoUpdate.app/Contents/MacOS/msupdate*" and + not process.args : + ( + "hw.model", + "IOPlatformExpertDevice", + "/Volumes/Google Chrome/Google Chrome.app/Contents/Frameworks/*/Resources/install.sh", + "--defaults-torrc", + "*Chrome.app", + "Framework.framework/Versions/*/Resources/keystone_promote_preflight.sh", + "/Users/*/Library/Application Support/Google/Chrome/recovery/*/ChromeRecovery", + "$DISPLAY", + "*GIO_LAUNCHED_DESKTOP_FILE_PID=$$*", + "/opt/homebrew/*", + "/usr/local/*brew*" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Execution +** ID: TA0002 +** Reference URL: https://attack.mitre.org/tactics/TA0002/ +* Technique: +** Name: Exploitation for Client Execution +** ID: T1203 +** Reference URL: https://attack.mitre.org/techniques/T1203/ +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Drive-by Compromise +** ID: T1189 +** Reference URL: https://attack.mitre.org/techniques/T1189/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-calendar-file-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-calendar-file-modification.asciidoc new file mode 100644 index 0000000000..9aa288baf9 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-calendar-file-modification.asciidoc @@ -0,0 +1,75 @@ +[[prebuilt-rule-8-10-7-suspicious-calendar-file-modification]] +=== Suspicious Calendar File Modification + +Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos +* https://github.com/FSecureLABS/CalendarPersist +* https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:file and host.os.type:macos and event.action:modification and + file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and + process.executable: + (* and not + ( + /System/Library/* or + /System/Applications/Calendar.app/Contents/MacOS/* or + /System/Applications/Mail.app/Contents/MacOS/Mail or + /usr/libexec/xpcproxy or + /sbin/launchd or + /Applications/* + ) + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc new file mode 100644 index 0000000000..7e8d1ae118 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc @@ -0,0 +1,73 @@ +[[prebuilt-rule-8-10-7-suspicious-child-process-of-adobe-acrobat-reader-update-service]] +=== Suspicious Child Process of Adobe Acrobat Reader Update Service + +Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Privilege Escalation +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and + user.name:root and + not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or + /usr/bin/codesign or + /private/var/folders/zz/*/T/download/ARMDCHammer or + /usr/sbin/pkgutil or + /usr/bin/shasum or + /usr/bin/perl* or + /usr/sbin/spctl or + /usr/sbin/installer or + /usr/bin/csrutil) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Exploitation for Privilege Escalation +** ID: T1068 +** Reference URL: https://attack.mitre.org/techniques/T1068/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-crontab-creation-or-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-crontab-creation-or-modification.asciidoc new file mode 100644 index 0000000000..6a5b74b5b4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-crontab-creation-or-modification.asciidoc @@ -0,0 +1,67 @@ +[[prebuilt-rule-8-10-7-suspicious-crontab-creation-or-modification]] +=== Suspicious CronTab Creation or Modification + +Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://taomm.org/PDFs/vol1/CH%200x02%20Persistence.pdf +* https://theevilbit.github.io/beyond/beyond_0004/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +file where host.os.type == "macos" and event.type != "deletion" and process.name != null and + file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Scheduled Task/Job +** ID: T1053 +** Reference URL: https://attack.mitre.org/techniques/T1053/ +* Sub-technique: +** Name: Cron +** ID: T1053.003 +** Reference URL: https://attack.mitre.org/techniques/T1053/003/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-emond-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-emond-child-process.asciidoc new file mode 100644 index 0000000000..6f7a5d8022 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-emond-child-process.asciidoc @@ -0,0 +1,89 @@ +[[prebuilt-rule-8-10-7-suspicious-emond-child-process]] +=== Suspicious Emond Child Process + +Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.xorrior.com/emond-persistence/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.parent.name : "emond" and + process.name : ( + "bash", + "dash", + "sh", + "tcsh", + "csh", + "zsh", + "ksh", + "fish", + "Python", + "python*", + "perl*", + "php*", + "osascript", + "pwsh", + "curl", + "wget", + "cp", + "mv", + "touch", + "echo", + "base64", + "launchctl") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Emond +** ID: T1546.014 +** Reference URL: https://attack.mitre.org/techniques/T1546/014/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-hidden-child-process-of-launchd.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-hidden-child-process-of-launchd.asciidoc new file mode 100644 index 0000000000..2436700f13 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-hidden-child-process-of-launchd.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-7-suspicious-hidden-child-process-of-launchd]] +=== Suspicious Hidden Child Process of Launchd + +Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://objective-see.com/blog/blog_0x61.html +* https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ +* https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.name:.* and process.parent.executable:/sbin/launchd + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Create or Modify System Process +** ID: T1543 +** Reference URL: https://attack.mitre.org/techniques/T1543/ +* Sub-technique: +** Name: Launch Agent +** ID: T1543.001 +** Reference URL: https://attack.mitre.org/techniques/T1543/001/ +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Hide Artifacts +** ID: T1564 +** Reference URL: https://attack.mitre.org/techniques/T1564/ +* Sub-technique: +** Name: Hidden Files and Directories +** ID: T1564.001 +** Reference URL: https://attack.mitre.org/techniques/T1564/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-macos-ms-office-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-macos-ms-office-child-process.asciidoc new file mode 100644 index 0000000000..6958385ff4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-macos-ms-office-child-process.asciidoc @@ -0,0 +1,99 @@ +[[prebuilt-rule-8-10-7-suspicious-macos-ms-office-child-process]] +=== Suspicious macOS MS Office Child Process + +Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Initial Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and + process.name: + ( + "bash", + "dash", + "sh", + "tcsh", + "csh", + "zsh", + "ksh", + "fish", + "python*", + "perl*", + "php*", + "osascript", + "pwsh", + "curl", + "wget", + "cp", + "mv", + "base64", + "launchctl" + ) and + /* noisy false positives related to product version discovery and office errors reporting */ + not process.args: + ( + "ProductVersion", + "hw.model", + "ioreg", + "ProductName", + "ProductUserVisibleVersion", + "ProductBuildVersion", + "/Library/Application Support/Microsoft/MERP*/Microsoft Error Reporting.app/Contents/MacOS/Microsoft Error Reporting" + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Initial Access +** ID: TA0001 +** Reference URL: https://attack.mitre.org/tactics/TA0001/ +* Technique: +** Name: Phishing +** ID: T1566 +** Reference URL: https://attack.mitre.org/techniques/T1566/ +* Sub-technique: +** Name: Spearphishing Attachment +** ID: T1566.001 +** Reference URL: https://attack.mitre.org/techniques/T1566/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-managed-code-hosting-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-managed-code-hosting-process.asciidoc new file mode 100644 index 0000000000..cec9ee6da7 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-managed-code-hosting-process.asciidoc @@ -0,0 +1,74 @@ +[[prebuilt-rule-8-10-7-suspicious-managed-code-hosting-process]] +=== Suspicious Managed Code Hosting Process + +Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* http://web.archive.org/web/20230329154538/https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +sequence by process.entity_id with maxspan=5m + [process where host.os.type == "windows" and event.type == "start" and + process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] + [file where host.os.type == "windows" and event.type != "deletion" and + file.name : ("wscript.exe.log", + "cscript.exe.log", + "mshta.exe.log", + "wmic.exe.log", + "svchost.exe.log", + "dllhost.exe.log", + "cmstp.exe.log", + "regsvr32.exe.log")] + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Process Injection +** ID: T1055 +** Reference URL: https://attack.mitre.org/techniques/T1055/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-werfault-child-process.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-werfault-child-process.asciidoc new file mode 100644 index 0000000000..08ad416a2c --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-suspicious-werfault-child-process.asciidoc @@ -0,0 +1,101 @@ +[[prebuilt-rule-8-10-7-suspicious-werfault-child-process]] +=== Suspicious WerFault Child Process + +A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes. + +*Rule type*: eql + +*Rule indices*: + +* winlogbeat-* +* logs-endpoint.events.* +* logs-windows.* +* endgame-* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://www.hexacorn.com/blog/2019/09/19/silentprocessexit-quick-look-under-the-hood/ +* https://www.hexacorn.com/blog/2019/09/20/werfault-command-line-switches-v0-1/ +* https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx +* http://web.archive.org/web/20230530011556/https://blog.menasec.net/2021/01/ + +*Tags*: + +* Domain: Endpoint +* OS: Windows +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Tactic: Persistence +* Tactic: Privilege Escalation +* Data Source: Elastic Endgame +* Data Source: Elastic Defend + +*Version*: 110 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "windows" and event.type == "start" and + + process.parent.name : "WerFault.exe" and + + /* args -s and -t used to execute a process via SilentProcessExit mechanism */ + (process.parent.args : "-s" and process.parent.args : "-t" and process.parent.args : "-c") and + + not process.executable : ("?:\\Windows\\SysWOW64\\Initcrypt.exe", "?:\\Program Files (x86)\\Heimdal\\Heimdal.Guard.exe") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Masquerading +** ID: T1036 +** Reference URL: https://attack.mitre.org/techniques/T1036/ +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ +* Tactic: +** Name: Privilege Escalation +** ID: TA0004 +** Reference URL: https://attack.mitre.org/tactics/TA0004/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Image File Execution Options Injection +** ID: T1546.012 +** Reference URL: https://attack.mitre.org/techniques/T1546/012/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-systemkey-access-via-command-line.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-systemkey-access-via-command-line.asciidoc new file mode 100644 index 0000000000..071d9b14b0 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-systemkey-access-via-command-line.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-7-systemkey-access-via-command-line]] +=== SystemKey Access via Command Line + +Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and + process.args:("/private/var/db/SystemKey" or "/var/db/SystemKey") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Credentials from Password Stores +** ID: T1555 +** Reference URL: https://attack.mitre.org/techniques/T1555/ +* Sub-technique: +** Name: Keychain +** ID: T1555.001 +** Reference URL: https://attack.mitre.org/techniques/T1555/001/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc new file mode 100644 index 0000000000..d3adf31e71 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc @@ -0,0 +1,63 @@ +[[prebuilt-rule-8-10-7-tcc-bypass-via-mounted-apfs-snapshot-access]] +=== TCC Bypass via Mounted APFS Snapshot Access + +Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple’s privacy framework (TCC). + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: high + +*Risk score*: 73 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://theevilbit.github.io/posts/cve_2020_9771/ + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Defense Evasion +* Use Case: Vulnerability +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and + process.args:(/System/Volumes/Data and noowners) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Defense Evasion +** ID: TA0005 +** Reference URL: https://attack.mitre.org/tactics/TA0005/ +* Technique: +** Name: Direct Volume Access +** ID: T1006 +** Reference URL: https://attack.mitre.org/techniques/T1006/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-unexpected-child-process-of-macos-screensaver-engine.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-unexpected-child-process-of-macos-screensaver-engine.asciidoc new file mode 100644 index 0000000000..3e4603ff22 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-unexpected-child-process-of-macos-screensaver-engine.asciidoc @@ -0,0 +1,81 @@ +[[prebuilt-rule-8-10-7-unexpected-child-process-of-macos-screensaver-engine]] +=== Unexpected Child Process of macOS Screensaver Engine + +Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://posts.specterops.io/saving-your-access-d562bf5bf90b +* https://github.com/D00MFist/PersistentJXA + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Persistence +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Investigation guide + + +[source, markdown] +---------------------------------- +## Triage and analysis + +- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such +as a download of a payload from a server. +- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to +identify whether the file is malicious or not. + + +---------------------------------- + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine" + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Persistence +** ID: TA0003 +** Reference URL: https://attack.mitre.org/tactics/TA0003/ +* Technique: +** Name: Event Triggered Execution +** ID: T1546 +** Reference URL: https://attack.mitre.org/techniques/T1546/ +* Sub-technique: +** Name: Screensaver +** ID: T1546.002 +** Reference URL: https://attack.mitre.org/techniques/T1546/002/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-virtual-private-network-connection-attempt.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-virtual-private-network-connection-attempt.asciidoc new file mode 100644 index 0000000000..0e7d9fb3b2 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-virtual-private-network-connection-attempt.asciidoc @@ -0,0 +1,68 @@ +[[prebuilt-rule-8-10-7-virtual-private-network-connection-attempt]] +=== Virtual Private Network Connection Attempt + +Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network. + +*Rule type*: eql + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: low + +*Risk score*: 21 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb +* https://www.unix.com/man-page/osx/8/networksetup/ +* https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Lateral Movement +* Data Source: Elastic Defend + +*Version*: 106 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +process where host.os.type == "macos" and event.type in ("start", "process_started") and + ( + (process.name : "networksetup" and process.args : "-connectpppoeservice") or + (process.name : "scutil" and process.args : "--nc" and process.args : "start") or + (process.name : "osascript" and process.command_line : "osascript*set VPN to service*") + ) + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Lateral Movement +** ID: TA0008 +** Reference URL: https://attack.mitre.org/tactics/TA0008/ +* Technique: +** Name: Remote Services +** ID: T1021 +** Reference URL: https://attack.mitre.org/techniques/T1021/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-webproxy-settings-modification.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-webproxy-settings-modification.asciidoc new file mode 100644 index 0000000000..3a6ee111e5 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rule-8-10-7-webproxy-settings-modification.asciidoc @@ -0,0 +1,66 @@ +[[prebuilt-rule-8-10-7-webproxy-settings-modification]] +=== WebProxy Settings Modification + +Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. + +*Rule type*: query + +*Rule indices*: + +* logs-endpoint.events.* + +*Severity*: medium + +*Risk score*: 47 + +*Runs every*: 5m + +*Searches indices from*: now-9m ({ref}/common-options.html#date-math[Date Math format], see also <>) + +*Maximum alerts per execution*: 100 + +*References*: + +* https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/ +* https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf + +*Tags*: + +* Domain: Endpoint +* OS: macOS +* Use Case: Threat Detection +* Tactic: Credential Access +* Data Source: Elastic Defend + +*Version*: 105 + +*Rule authors*: + +* Elastic + +*Rule license*: Elastic License v2 + + +==== Rule query + + +[source, js] +---------------------------------- +event.category:process and host.os.type:macos and event.type:start and + process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and + not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or + "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or + "/usr/libexec/xpcproxy") + +---------------------------------- + +*Framework*: MITRE ATT&CK^TM^ + +* Tactic: +** Name: Credential Access +** ID: TA0006 +** Reference URL: https://attack.mitre.org/tactics/TA0006/ +* Technique: +** Name: Steal Web Session Cookie +** ID: T1539 +** Reference URL: https://attack.mitre.org/techniques/T1539/ diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rules-8-10-7-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rules-8-10-7-appendix.asciidoc new file mode 100644 index 0000000000..b488f37711 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rules-8-10-7-appendix.asciidoc @@ -0,0 +1,85 @@ +["appendix",role="exclude",id="prebuilt-rule-8-10-7-prebuilt-rules-8-10-7-appendix"] += Downloadable rule update v8.10.7 + +This section lists all updates associated with version 8.10.7 of the Fleet integration *Prebuilt Security Detection Rules*. + + +include::prebuilt-rule-8-10-7-potential-okta-mfa-bombing-via-push-notifications.asciidoc[] +include::prebuilt-rule-8-10-7-first-occurrence-of-okta-user-session-started-via-proxy.asciidoc[] +include::prebuilt-rule-8-10-7-multiple-okta-users-with-the-same-device-token-hash.asciidoc[] +include::prebuilt-rule-8-10-7-multiple-okta-client-addresses-for-a-single-user-session.asciidoc[] +include::prebuilt-rule-8-10-7-new-okta-authentication-behavior-detected.asciidoc[] +include::prebuilt-rule-8-10-7-okta-fastpass-phishing-detection.asciidoc[] +include::prebuilt-rule-8-10-7-okta-user-sessions-started-from-different-geolocations.asciidoc[] +include::prebuilt-rule-8-10-7-okta-sign-in-events-via-third-party-idp.asciidoc[] +include::prebuilt-rule-8-10-7-multiple-okta-sessions-detected-for-a-single-user.asciidoc[] +include::prebuilt-rule-8-10-7-new-okta-identity-provider-idp-added-by-admin.asciidoc[] +include::prebuilt-rule-8-10-7-first-time-seen-newcredentials-logon-process.asciidoc[] +include::prebuilt-rule-8-10-7-potentially-successful-mfa-bombing-via-push-notifications.asciidoc[] +include::prebuilt-rule-8-10-7-access-of-stored-browser-credentials.asciidoc[] +include::prebuilt-rule-8-10-7-access-to-keychain-credentials-directories.asciidoc[] +include::prebuilt-rule-8-10-7-dumping-account-hashes-via-built-in-commands.asciidoc[] +include::prebuilt-rule-8-10-7-dumping-of-keychain-content-via-security-command.asciidoc[] +include::prebuilt-rule-8-10-7-kerberos-cached-credentials-dumping.asciidoc[] +include::prebuilt-rule-8-10-7-keychain-password-retrieval-via-command-line.asciidoc[] +include::prebuilt-rule-8-10-7-webproxy-settings-modification.asciidoc[] +include::prebuilt-rule-8-10-7-potential-macos-ssh-brute-force-detected.asciidoc[] +include::prebuilt-rule-8-10-7-prompt-for-credentials-with-osascript.asciidoc[] +include::prebuilt-rule-8-10-7-systemkey-access-via-command-line.asciidoc[] +include::prebuilt-rule-8-10-7-softwareupdate-preferences-modification.asciidoc[] +include::prebuilt-rule-8-10-7-attempt-to-remove-file-quarantine-attribute.asciidoc[] +include::prebuilt-rule-8-10-7-attempt-to-disable-gatekeeper.asciidoc[] +include::prebuilt-rule-8-10-7-attempt-to-install-root-certificate.asciidoc[] +include::prebuilt-rule-8-10-7-modification-of-environment-variable-via-launchctl.asciidoc[] +include::prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-tccdb-modification.asciidoc[] +include::prebuilt-rule-8-10-7-potential-privacy-control-bypass-via-localhost-secure-copy.asciidoc[] +include::prebuilt-rule-8-10-7-modification-of-safari-settings-via-defaults-command.asciidoc[] +include::prebuilt-rule-8-10-7-potential-microsoft-office-sandbox-evasion.asciidoc[] +include::prebuilt-rule-8-10-7-tcc-bypass-via-mounted-apfs-snapshot-access.asciidoc[] +include::prebuilt-rule-8-10-7-attempt-to-unload-elastic-endpoint-security-kernel-extension.asciidoc[] +include::prebuilt-rule-8-10-7-enumeration-of-users-or-groups-via-built-in-commands.asciidoc[] +include::prebuilt-rule-8-10-7-execution-via-electron-child-process-node-js-module.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-browser-child-process.asciidoc[] +include::prebuilt-rule-8-10-7-macos-installer-package-spawns-network-event.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-automator-workflows-execution.asciidoc[] +include::prebuilt-rule-8-10-7-apple-script-execution-followed-by-network-connection.asciidoc[] +include::prebuilt-rule-8-10-7-shell-execution-via-apple-scripting.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-macos-ms-office-child-process.asciidoc[] +include::prebuilt-rule-8-10-7-potential-kerberos-attack-via-bifrost.asciidoc[] +include::prebuilt-rule-8-10-7-attempt-to-mount-smb-share-via-command-line.asciidoc[] +include::prebuilt-rule-8-10-7-remote-ssh-login-enabled-via-systemsetup-command.asciidoc[] +include::prebuilt-rule-8-10-7-virtual-private-network-connection-attempt.asciidoc[] +include::prebuilt-rule-8-10-7-potential-hidden-local-user-account-creation.asciidoc[] +include::prebuilt-rule-8-10-7-launch-agent-creation-or-modification-and-immediate-loading.asciidoc[] +include::prebuilt-rule-8-10-7-creation-of-hidden-login-item-via-apple-script.asciidoc[] +include::prebuilt-rule-8-10-7-launchdaemon-creation-or-modification-and-immediate-loading.asciidoc[] +include::prebuilt-rule-8-10-7-authorization-plugin-modification.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-crontab-creation-or-modification.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-hidden-child-process-of-launchd.asciidoc[] +include::prebuilt-rule-8-10-7-persistence-via-directoryservice-plugin-modification.asciidoc[] +include::prebuilt-rule-8-10-7-persistence-via-docker-shortcut-modification.asciidoc[] +include::prebuilt-rule-8-10-7-emond-rules-creation-or-modification.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-emond-child-process.asciidoc[] +include::prebuilt-rule-8-10-7-attempt-to-enable-the-root-account.asciidoc[] +include::prebuilt-rule-8-10-7-creation-of-hidden-launch-agent-or-daemon.asciidoc[] +include::prebuilt-rule-8-10-7-finder-sync-plugin-registered-and-enabled.asciidoc[] +include::prebuilt-rule-8-10-7-persistence-via-folder-action-script.asciidoc[] +include::prebuilt-rule-8-10-7-persistence-via-login-or-logout-hook.asciidoc[] +include::prebuilt-rule-8-10-7-potential-persistence-via-login-hook.asciidoc[] +include::prebuilt-rule-8-10-7-sublime-plugin-or-application-script-modification.asciidoc[] +include::prebuilt-rule-8-10-7-potential-persistence-via-periodic-tasks.asciidoc[] +include::prebuilt-rule-8-10-7-unexpected-child-process-of-macos-screensaver-engine.asciidoc[] +include::prebuilt-rule-8-10-7-screensaver-plist-file-modified-by-unexpected-process.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-calendar-file-modification.asciidoc[] +include::prebuilt-rule-8-10-7-potential-persistence-via-atom-init-script-modification.asciidoc[] +include::prebuilt-rule-8-10-7-apple-scripting-execution-with-administrator-privileges.asciidoc[] +include::prebuilt-rule-8-10-7-execution-with-explicit-credentials-via-scripting.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-child-process-of-adobe-acrobat-reader-update-service.asciidoc[] +include::prebuilt-rule-8-10-7-potential-admin-group-account-addition.asciidoc[] +include::prebuilt-rule-8-10-7-privilege-escalation-via-root-crontab-file-modification.asciidoc[] +include::prebuilt-rule-8-10-7-remote-file-copy-via-teamviewer.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-werfault-child-process.asciidoc[] +include::prebuilt-rule-8-10-7-suspicious-managed-code-hosting-process.asciidoc[] +include::prebuilt-rule-8-10-7-remote-execution-via-file-shares.asciidoc[] +include::prebuilt-rule-8-10-7-account-configured-with-never-expiring-password.asciidoc[] +include::prebuilt-rule-8-10-7-creation-of-a-hidden-local-user-account.asciidoc[] diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rules-8-10-7-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rules-8-10-7-summary.asciidoc new file mode 100644 index 0000000000..9f1e586677 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-10-7/prebuilt-rules-8-10-7-summary.asciidoc @@ -0,0 +1,170 @@ +[[prebuilt-rule-8-10-7-prebuilt-rules-8-10-7-summary]] +[role="xpack"] +== Update v8.10.7 + +This section lists all updates associated with version 8.10.7 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|<> | Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. | new | 1 + +|<> | Identifies the first occurrence of an Okta user session started via a proxy. | new | 1 + +|<> | Detects when Okta user or system events are reported for multiple users with the same device token hash. | new | 1 + +|<> | Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources. | new | 1 + +|<> | Detects events where Okta behavior detection has identified a new authentication behavior. | new | 1 + +|<> | Detects when Okta FastPass prevents a user from authenticating to a phishing website. | new | 2 + +|<> | Detects when a specific Okta actor has multiple sessions started from different geolocations. | new | 1 + +|<> | Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP). | new | 1 + +|<> | Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. | new | 1 + +|<> | Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta. | new | 1 + +|<> | Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions. | new | 1 + +|<> | Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access. | update | 208 + +|<> | Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. | update | 106 + +|<> | Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. | update | 106 + +|<> | Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement. | update | 105 + +|<> | Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. | update | 106 + +|<> | Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement. | update | 105 + +|<> | Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. | update | 106 + +|<> | Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection. | update | 105 + +|<> | Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts. | update | 106 + +|<> | Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials. | update | 106 + +|<> | Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials. | update | 105 + +|<> | Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates. | update | 105 + +|<> | Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. | update | 106 + +|<> | Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that's designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code. | update | 105 + +|<> | Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. | update | 105 + +|<> | Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions. | update | 105 + +|<> | Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar. | update | 106 + +|<> | Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files. | update | 106 + +|<> | Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser. | update | 105 + +|<> | Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion. | update | 105 + +|<> | Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple’s privacy framework (TCC). | update | 105 + +|<> | Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command. | update | 105 + +|<> | Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act. | update | 106 + +|<> | Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes. | update | 105 + +|<> | Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation. | update | 105 + +|<> | Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. | update | 105 + +|<> | Identifies the execution of the Automator Workflows process followed by a network connection from it's XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript. | update | 105 + +|<> | Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control. | update | 105 + +|<> | Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. | update | 105 + +|<> | Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros. | update | 105 + +|<> | Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting. | update | 105 + +|<> | Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB. | update | 106 + +|<> | Detects use of the systemsetup command to enable remote SSH Login. | update | 105 + +|<> | Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network. | update | 106 + +|<