From 5d9c031c8bbe1f3a687f99f2242fa8bad24bb85b Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 26 Jan 2021 08:50:28 +0100 Subject: [PATCH] [New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775) * [New Rule] TCC Bypass via Mounted APFS Snapshot Access * Update defense_evasion_tcc_bypass_mounted_apfs_access.toml * conv to kql * Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...vasion_tcc_bypass_mounted_apfs_access.toml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml new file mode 100644 index 000000000..357a6cc3d --- /dev/null +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -0,0 +1,42 @@ +[metadata] +creation_date = "2020/01/04" +maturity = "production" +updated_date = "2020/01/04" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots +as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file +system, including all user data and files protected by Appleā€™s privacy framework (TCC). +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "TCC Bypass via Mounted APFS Snapshot Access" +references = ["https://theevilbit.github.io/posts/cve_2020_9771/"] +risk_score = 73 +rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6" +severity = "high" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +type = "query" + +query = ''' +event.category : process and event.type : (start or process_started) and process.name : mount_apfs and + process.args : (/System/Volumes/Data and noowners) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1006" +name = "Direct Volume Access" +reference = "https://attack.mitre.org/techniques/T1006/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"