From 4cb28adeced377dc31c9f78625786bc0f8f589c4 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 8 Feb 2021 16:34:44 +0100 Subject: [PATCH] [New Rule] Sublime Plugin or Application Script Modification (#761) * [New Rule] Sublime Plugin or Application Script Modification * excluded some noisy procs * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added T1554 * fixed tactic Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- ...fication_sublime_app_plugin_or_script.toml | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 rules/macos/persistence_modification_sublime_app_plugin_or_script.toml diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml new file mode 100644 index 000000000..92b24aae2 --- /dev/null +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2020/12/23" +maturity = "production" +updated_date = "2020/12/23" + +[rule] +author = ["Elastic"] +description = """ +Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time +the Sublime application is started. +""" +false_positives = ["Legitimate Sublime plugins or application updates"] +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Sublime Plugin or Application Script Modification" +references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] +risk_score = 21 +rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a" +severity = "low" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +type = "eql" + +query = ''' +file where event.type in ("change", "creation") and file.extension : "py" and + file.path : + ( + "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", + "/Applications/Sublime Text.app/Contents/MacOS/sublime.py" + ) and + not process.executable : + ( + "/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*", + "/usr/local/Cellar/git/*/bin/git", + "/usr/libexec/xpcproxy", + "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper", + "/Applications/Sublime Text.app/Contents/MacOS/plugin_host" + ) + +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1554" +name = "Compromise Client Software Binary" +reference = "https://attack.mitre.org/techniques/T1554/" + + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"