From 1e28385ea4ba8bf84c03d83bee0fc4192c1ff12c Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Fri, 22 Jul 2022 16:16:27 -0400 Subject: [PATCH] [Rule Tuning] Enumeration of Users or Groups via Built-in Commands (#2136) * fix parens and exclude parent process FPs and update description --- ...covery_users_domain_built_in_commands.toml | 28 +++++++++++++------ 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index b0fe70db9..040026757 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -1,11 +1,14 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2022/03/31" +updated_date = "2022/07/21" [rule] author = ["Elastic"] -description = "Identifies the execution of macOS built-in commands related to account or group enumeration." +description = """ +Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use +account and group information to orient themselves before deciding how to act. +""" from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" @@ -24,17 +27,24 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and + ( + process.name : ("ldapsearch", "dsmemberutil") or + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + ) and not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", - "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence", + "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence", "/Applications/Sourcetree.app/Contents/MacOS/Sourcetree", "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", "/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect", - "/usr/local/jamf/bin/jamf" - ) and - process.name : ("ldapsearch", "dsmemberutil") or - (process.name : "dscl" and - process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and - process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + "/usr/local/jamf/bin/jamf", + "/Library/Application Support/AirWatch/hubd", + "/opt/jc/bin/jumpcloud-agent", + "/Applications/ESET Endpoint Antivirus.app/Contents/MacOS/esets_daemon", + "/Applications/ESET Endpoint Security.app/Contents/MacOS/esets_daemon", + "/Library/PrivilegedHelperTools/com.fortinet.forticlient.uninstall_helper" + ) '''