rules/macos/persistence_folder_action_scripts_runtime.toml

[metadata]
creation_date = "2020/12/07"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"

[rule]
author = ["Elastic"]
description = """
Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is
attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this
feature to establish persistence by utilizing a malicious script.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Persistence via Folder Action Script"
references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"]
risk_score = 47
rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"]
type = "eql"

query = '''
sequence by host.id with maxspan=5s
 [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid
 [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and
  not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt"
 ] by process.parent.pid
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`[metadata]`
			`creation_date = "2020/12/07"`
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00			`integration = ["endpoint"]`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`maturity = "production"`
min_stack all rules to 8.3 (#2259 ) 2022-08-24 10:38:49 -06:00			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
			`min_stack_version = "8.3.0"`
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) 2023-03-05 09:41:19 -09:00			`updated_date = "2023/02/22"`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability (#2429 ) 2023-01-04 09:30:07 -05:00			`Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is`
			`attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this`
			`feature to establish persistence by utilizing a malicious script.`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`"""`
			`from = "now-9m"`
			`index = ["auditbeat-", "logs-endpoint.events."]`
			`language = "eql"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`name = "Persistence via Folder Action Script"`
			`references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"]`
			`risk_score = 47`
			`rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7"`
			`severity = "medium"`
			`tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"]`
			`type = "eql"`

			`query = '''`
			`sequence by host.id with maxspan=5s`
[Rule Tuning] Ensure host information is in endpoint rule queries (#2593 ) 2023-03-05 09:41:19 -09:00			`[process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid`
			`[process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and`
[Rule Tuning] Persistence via Folder Action Script (#2174 ) 2022-08-05 14:36:05 -04:00			`not process.args : "/Users//Library/Application Support/iTerm2/Scripts/AutoLaunch/.scpt"`
			`] by process.parent.pid`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1037"`
			`name = "Boot or Logon Initialization Scripts"`
			`reference = "https://attack.mitre.org/techniques/T1037/"`


			`[rule.threat.tactic]`
			`id = "TA0003"`
			`name = "Persistence"`
			`reference = "https://attack.mitre.org/tactics/TA0003/"`
			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`


			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00