security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Sublime Plugin or Application Script Modification (#761)

Browse Source 
* [New Rule] Sublime Plugin or Application Script Modification

* excluded some noisy procs

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added T1554

* fixed tactic

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-02-08 16:34:44 +01:00
committed by GitHub
parent 82fe227030
commit 4cb28adece
1 changed files with 55 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
+55
View File
@@ -0,0 +1,55 @@
[metadata]
creation_date = "2020/12/23"
maturity = "production"
updated_date = "2020/12/23"
[rule]
author = ["Elastic"]
description = """
Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time
the Sublime application is started.
"""
false_positives = ["Legitimate Sublime plugins or application updates"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License"
name = "Sublime Plugin or Application Script Modification"
references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"]
risk_score = 21
rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a"
severity = "low"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
type = "eql"
query = '''
file where event.type in ("change", "creation") and file.extension : "py" and
file.path :
(
"/Users/*/Library/Application Support/Sublime Text*/Packages/*.py",
"/Applications/Sublime Text.app/Contents/MacOS/sublime.py"
) and
not process.executable :
(
"/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*",
"/usr/local/Cellar/git/*/bin/git",
"/usr/libexec/xpcproxy",
"/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper",
"/Applications/Sublime Text.app/Contents/MacOS/plugin_host"
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1554"
name = "Compromise Client Software Binary"
reference = "https://attack.mitre.org/techniques/T1554/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"