[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775)

* [New Rule] TCC Bypass via Mounted APFS Snapshot Access

* Update defense_evasion_tcc_bypass_mounted_apfs_access.toml

* conv to kql

* Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml

@@ -0,0 +1,42 @@
+[metadata]
+creation_date = "2020/01/04"
+maturity = "production"
+updated_date = "2020/01/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots
+as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file
+system, including all user data and files protected by Apple’s privacy framework (TCC).
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "kuery"
+license = "Elastic License"
+name = "TCC Bypass via Mounted APFS Snapshot Access"
+references = ["https://theevilbit.github.io/posts/cve_2020_9771/"]
+risk_score = 73
+rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6"
+severity = "high"
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
+type = "query"
+
+query = '''
+event.category : process and event.type : (start or process_started) and process.name : mount_apfs and
+  process.args : (/System/Volumes/Data and noowners)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1006"
+name = "Direct Volume Access"
+reference = "https://attack.mitre.org/techniques/T1006/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"