2020-09-29 10:23:43 +02:00
[ metadata ]
creation_date = "2020/08/14"
2023-01-04 09:30:07 -05:00
integration = [ "endpoint" ]
2020-09-29 10:23:43 +02:00
maturity = "production"
2022-08-24 10:38:49 -06:00
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
2023-03-05 09:41:19 -09:00
updated_date = "2023/02/22"
2020-09-29 10:23:43 +02:00
[ rule ]
author = [ "Elastic" ]
description = "" "
Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way
for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords,
2021-02-08 17:31:04 +01:00
websites, secure notes and certificates.
2020-09-29 10:23:43 +02:00
" ""
2020-09-30 19:16:04 -05:00
from = "now-9m"
2020-09-29 10:23:43 +02:00
index = [ "auditbeat-*" , "logs-endpoint.events.*" ]
2021-02-08 17:31:04 +01:00
language = "eql"
2021-03-03 22:12:11 -09:00
license = "Elastic License v2"
2021-02-08 17:31:04 +01:00
name = "Access to Keychain Credentials Directories"
2022-07-18 15:41:32 -04:00
note = "" "## Setup
2022-04-01 15:27:08 -08:00
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
" ""
2021-02-08 17:31:04 +01:00
references = [
"https://objective-see.com/blog/blog_0x25.html" ,
"https://securelist.com/calisto-trojan-for-macos/86543/" ,
]
2020-09-29 10:23:43 +02:00
risk_score = 73
rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8"
severity = "high"
2020-10-26 13:50:45 -05:00
tags = [ "Elastic" , "Host" , "macOS" , "Threat Detection" , "Credential Access" ]
2021-02-16 10:52:48 -09:00
timestamp_override = "event.ingested"
2021-02-08 17:31:04 +01:00
type = "eql"
2020-09-29 10:23:43 +02:00
query = '' '
2023-03-05 09:41:19 -09:00
process where host.os.type == "macos" and event.type in ("start", "process_started") and
2021-02-08 17:31:04 +01:00
process.args :
(
"/Users/*/Library/Keychains/*",
"/Library/Keychains/*",
"/Network/Library/Keychains/*",
"System.keychain",
"login.keychain-db",
"login.keychain"
2021-03-19 09:42:32 +01:00
) and
not process.args : ("find-certificate",
"add-trusted-cert",
"set-keychain-settings",
"delete-certificate",
"/Users/*/Library/Keychains/openvpn.keychain-db",
"show-keychain-info",
"lock-keychain",
"set-key-partition-list",
"import",
"find-identity") and
2022-07-22 14:14:12 -04:00
not process.parent.executable :
(
"/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect",
"/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise",
"/opt/jc/bin/jumpcloud-agent"
) and
not process.executable : "/opt/jc/bin/jumpcloud-agent"
2020-09-29 10:23:43 +02:00
' ''
[ [ rule . threat ] ]
framework = "MITRE ATT&CK"
[ [ rule . threat . technique ] ]
2020-12-18 12:46:16 -09:00
id = "T1555"
name = "Credentials from Password Stores"
reference = "https://attack.mitre.org/techniques/T1555/"
[ [ rule . threat . technique . subtechnique ] ]
id = "T1555.001"
2020-09-29 10:23:43 +02:00
name = "Keychain"
2020-12-18 12:46:16 -09:00
reference = "https://attack.mitre.org/techniques/T1555/001/"
2020-09-29 10:23:43 +02:00
2021-02-16 10:52:48 -09:00
2020-09-29 10:23:43 +02:00
[ rule . threat . tactic ]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
2022-04-01 15:27:08 -08:00
