rules/macos/privilege_escalation_explicit_creds_via_scripting.toml

[metadata]
creation_date = "2020/12/07"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/03/18"

[rule]
author = ["Elastic"]
description = """
Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use
AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should
not be run by itself, as this is a sign of execution with explicit logon credentials.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Execution with Explicit Credentials via Scripting"
references = [
    "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
    "https://www.manpagez.com/man/8/security_authtrampoline/",
]
risk_score = 47
rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1"
setup = """## Setup

This rule requires data coming in from Elastic Defend.

### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.

#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).

#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Execution",
    "Tactic: Privilege Escalation",
    "Data Source: Elastic Defend",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "macos" and event.type in ("start", "process_started") and
 process.name == "security_authtrampoline" and
 process.parent.name like~ ("osascript", "com.apple.automator.runner", "sh", "bash", "dash", "zsh", "python*", "perl*", "php*", "ruby", "pwsh")
'''
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Execution with Explicit Credentials via Scripting

In macOS environments, the `security_authtrampoline` process is used to execute programs with elevated privileges via scripting interpreters. Adversaries may exploit this by using explicit credentials to run unauthorized scripts, gaining root access. The detection rule identifies such activities by monitoring the initiation of `security_authtrampoline` through common scripting languages, flagging potential privilege escalation attempts.

### Possible investigation steps

- Review the process details to confirm the parent process name matches one of the specified scripting interpreters (e.g., osascript, bash, python) to verify the context of the alert.
- Examine the command line arguments of the security_authtrampoline process to identify the script or program being executed and assess its legitimacy.
- Investigate the user account associated with the process to determine if the credentials used are valid and expected for executing such scripts.
- Check the historical activity of the involved user account and associated processes to identify any patterns of unusual or unauthorized behavior.
- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities.
- Assess the system for any signs of compromise or unauthorized changes, such as unexpected new files, altered configurations, or additional unauthorized processes running.

### False positive analysis

- Legitimate administrative tasks using scripting languages may trigger this rule. Users should review the context of the script execution to determine if it aligns with expected administrative activities.
- Automated scripts or scheduled tasks that require elevated privileges might be flagged. Consider creating exceptions for known scripts by specifying their hash or path in the monitoring system.
- Development or testing environments where developers frequently use scripting languages to test applications with elevated privileges can cause false positives. Implement a policy to exclude these environments from the rule or adjust the risk score to reflect the lower threat level.
- Security tools or software updates that use scripting interpreters to perform legitimate actions with elevated privileges may be mistakenly identified. Verify the source and purpose of such processes and whitelist them if they are deemed safe.
- User-initiated scripts for personal productivity that require elevated access could be misinterpreted as threats. Educate users on safe scripting practices and establish a process for them to report and document legitimate use cases for exclusion.

### Response and remediation

- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.
- Terminate the `security_authtrampoline` process if it is still running to stop any ongoing unauthorized activities.
- Review and revoke any compromised credentials used in the execution of the unauthorized script to prevent further misuse.
- Conduct a thorough examination of the system for any additional unauthorized scripts or malware that may have been deployed using the compromised credentials.
- Restore the system from a known good backup if any unauthorized changes or persistent threats are detected.
- Implement stricter access controls and monitoring for the use of scripting interpreters and the `security_authtrampoline` process to prevent similar privilege escalation attempts.
- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique]]
id = "T1548"
name = "Abuse Elevation Control Mechanism"
reference = "https://attack.mitre.org/techniques/T1548/"
[[rule.threat.technique.subtechnique]]
id = "T1548.004"
name = "Elevated Execution with Prompt"
reference = "https://attack.mitre.org/techniques/T1548/004/"


[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00			`[metadata]`
			`creation_date = "2020/12/07"`
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00			`integration = ["endpoint"]`
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00			`maturity = "production"`
[Tuning] MacOS DR Tuning PR (#4546 ) 2025-04-21 17:32:05 -05:00			`updated_date = "2025/03/18"`
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
[Rule Tuning] Execution with Explicit Credentials via Scripting (#910 ) 2021-02-09 22:06:23 +01:00			`Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use`
			`AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should`
			`not be run by itself, as this is a sign of execution with explicit logon credentials.`
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00			`"""`
			`from = "now-9m"`
Setup Guide information for MacOS rules (#3274 ) 2023-11-22 20:18:22 +05:30			`index = ["logs-endpoint.events.*"]`
[Tuning] MacOS DR Tuning PR (#4546 ) 2025-04-21 17:32:05 -05:00			`language = "eql"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
[Rule Tuning] Execution with Explicit Credentials via Scripting (#910 ) 2021-02-09 22:06:23 +01:00			`name = "Execution with Explicit Credentials via Scripting"`
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00			`references = [`
			`"https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",`
			`"https://www.manpagez.com/man/8/security_authtrampoline/",`
			`]`
			`risk_score = 47`
			`rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1"`
[Security Content] Small tweaks on the setup guides (#3308 ) 2024-03-11 09:09:40 -03:00			`setup = """## Setup`
Setup Guide information for MacOS rules (#3274 ) 2023-11-22 20:18:22 +05:30
			`This rule requires data coming in from Elastic Defend.`

			`### Elastic Defend Integration Setup`
			`Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.`

			`#### Prerequisite Requirements:`
			`- Fleet is required for Elastic Defend.`
			`- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).`

			`#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:`
			`- Go to the Kibana home page and click "Add integrations".`
			`- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.`
			`- Click "Add Elastic Defend".`
			`- Configure the integration name and optionally add a description.`
			`- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".`
			`- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).`
			`- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"`
			`- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.`
			`For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).`
			`- Click "Save and Continue".`
			`- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.`
			`For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).`
			`"""`
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00			`severity = "medium"`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30			`tags = [`
			`"Domain: Endpoint",`
			`"OS: macOS",`
			`"Use Case: Threat Detection",`
			`"Tactic: Execution",`
			`"Tactic: Privilege Escalation",`
			`"Data Source: Elastic Defend",`
[FR] Generate investigation guides (#4358 ) 2025-01-22 11:17:38 -06:00			`"Resources: Investigation Guide",`
Back-porting Version Trimming (#3704 ) 2024-05-23 00:45:10 +05:30			`]`
[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) 2021-02-17 19:49:58 -09:00			`timestamp_override = "event.ingested"`
[Tuning] MacOS DR Tuning PR (#4546 ) 2025-04-21 17:32:05 -05:00			`type = "eql"`
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00
			`query = '''`
[Tuning] MacOS DR Tuning PR (#4546 ) 2025-04-21 17:32:05 -05:00			`process where host.os.type == "macos" and event.type in ("start", "process_started") and`
			`process.name == "security_authtrampoline" and`
			`process.parent.name like~ ("osascript", "com.apple.automator.runner", "sh", "bash", "dash", "zsh", "python", "perl", "php*", "ruby", "pwsh")`
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00			`'''`
[FR] Generate investigation guides (#4358 ) 2025-01-22 11:17:38 -06:00			`note = """## Triage and analysis`

			`> Disclaimer:`
			`> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.`

			`### Investigating Execution with Explicit Credentials via Scripting`

			In macOS environments, the `security_authtrampoline` process is used to execute programs with elevated privileges via scripting interpreters. Adversaries may exploit this by using explicit credentials to run unauthorized scripts, gaining root access. The detection rule identifies such activities by monitoring the initiation of `security_authtrampoline` through common scripting languages, flagging potential privilege escalation attempts.

			`### Possible investigation steps`

			`- Review the process details to confirm the parent process name matches one of the specified scripting interpreters (e.g., osascript, bash, python) to verify the context of the alert.`
			`- Examine the command line arguments of the security_authtrampoline process to identify the script or program being executed and assess its legitimacy.`
			`- Investigate the user account associated with the process to determine if the credentials used are valid and expected for executing such scripts.`
			`- Check the historical activity of the involved user account and associated processes to identify any patterns of unusual or unauthorized behavior.`
			`- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities.`
			`- Assess the system for any signs of compromise or unauthorized changes, such as unexpected new files, altered configurations, or additional unauthorized processes running.`

			`### False positive analysis`

			`- Legitimate administrative tasks using scripting languages may trigger this rule. Users should review the context of the script execution to determine if it aligns with expected administrative activities.`
			`- Automated scripts or scheduled tasks that require elevated privileges might be flagged. Consider creating exceptions for known scripts by specifying their hash or path in the monitoring system.`
			`- Development or testing environments where developers frequently use scripting languages to test applications with elevated privileges can cause false positives. Implement a policy to exclude these environments from the rule or adjust the risk score to reflect the lower threat level.`
			`- Security tools or software updates that use scripting interpreters to perform legitimate actions with elevated privileges may be mistakenly identified. Verify the source and purpose of such processes and whitelist them if they are deemed safe.`
			`- User-initiated scripts for personal productivity that require elevated access could be misinterpreted as threats. Educate users on safe scripting practices and establish a process for them to report and document legitimate use cases for exclusion.`

			`### Response and remediation`

			`- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.`
			- Terminate the `security_authtrampoline` process if it is still running to stop any ongoing unauthorized activities.
			`- Review and revoke any compromised credentials used in the execution of the unauthorized script to prevent further misuse.`
			`- Conduct a thorough examination of the system for any additional unauthorized scripts or malware that may have been deployed using the compromised credentials.`
			`- Restore the system from a known good backup if any unauthorized changes or persistent threats are detected.`
			- Implement stricter access controls and monitoring for the use of scripting interpreters and the `security_authtrampoline` process to prevent similar privilege escalation attempts.
			`- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""`
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00

			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1078"`
			`name = "Valid Accounts"`
			`reference = "https://attack.mitre.org/techniques/T1078/"`

[Rule Tuning] Execution with Explicit Credentials via Scripting (#2190 ) 2022-08-02 14:21:00 -04:00			`[[rule.threat.technique]]`
			`id = "T1548"`
			`name = "Abuse Elevation Control Mechanism"`
			`reference = "https://attack.mitre.org/techniques/T1548/"`
			`[[rule.threat.technique.subtechnique]]`
			`id = "T1548.004"`
			`name = "Elevated Execution with Prompt"`
			`reference = "https://attack.mitre.org/techniques/T1548/004/"`


[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) 2020-12-08 11:57:52 +01:00
			`[rule.threat.tactic]`
			`id = "TA0004"`
			`name = "Privilege Escalation"`
			`reference = "https://attack.mitre.org/tactics/TA0004/"`
			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`


			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`
[Rule Tuning] Execution with Explicit Credentials via Scripting (#910 ) 2021-02-09 22:06:23 +01:00