rules/macos/persistence_folder_action_scripts_runtime.toml

[metadata]
creation_date = "2020/12/07"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/24"

[rule]
author = ["Elastic"]
description = """
Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its
window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a
malicious script.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Persistence via Folder Action Script"
references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"]
risk_score = 47
rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"]
type = "eql"

query = '''
sequence by host.id with maxspan=5s
 [process where event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid
 [process where event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and
  not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt"
 ] by process.parent.pid
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`[metadata]`
			`creation_date = "2020/12/07"`
			`maturity = "production"`
min_stack all rules to 8.3 (#2259 ) 2022-08-24 10:38:49 -06:00			`min_stack_comments = "New fields added: required_fields, related_integrations, setup"`
			`min_stack_version = "8.3.0"`
			`updated_date = "2022/08/24"`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00
			`[rule]`
			`author = ["Elastic"]`
			`description = """`
[Security Content] Update rules based on docs review (#1803 ) 2022-03-01 21:39:30 -03:00			`Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a`
			`malicious script.`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`"""`
			`from = "now-9m"`
			`index = ["auditbeat-", "logs-endpoint.events."]`
			`language = "eql"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00			`license = "Elastic License v2"`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`name = "Persistence via Folder Action Script"`
			`references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"]`
			`risk_score = 47`
			`rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7"`
			`severity = "medium"`
			`tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"]`
			`type = "eql"`

			`query = '''`
			`sequence by host.id with maxspan=5s`
			`[process where event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid`
[Rule Tuning] Persistence via Folder Action Script (#2174 ) 2022-08-05 14:36:05 -04:00			`[process where event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and`
			`not process.args : "/Users//Library/Application Support/iTerm2/Scripts/AutoLaunch/.scpt"`
			`] by process.parent.pid`
[New Rule] Persistence via Folder Action Script (#685 ) 2020-12-08 11:51:52 +01:00			`'''`


			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1037"`
			`name = "Boot or Logon Initialization Scripts"`
			`reference = "https://attack.mitre.org/techniques/T1037/"`


			`[rule.threat.tactic]`
			`id = "TA0003"`
			`name = "Persistence"`
			`reference = "https://attack.mitre.org/tactics/TA0003/"`
			`[[rule.threat]]`
			`framework = "MITRE ATT&CK"`
			`[[rule.threat.technique]]`
			`id = "T1059"`
			`name = "Command and Scripting Interpreter"`
			`reference = "https://attack.mitre.org/techniques/T1059/"`


			`[rule.threat.tactic]`
			`id = "TA0002"`
			`name = "Execution"`
			`reference = "https://attack.mitre.org/tactics/TA0002/"`
Update License to Elastic v2 (#944 ) 2021-03-03 22:12:11 -09:00