From 6ca381763d28bf298c6d9256cd25a70a923ce2e5 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 8 Feb 2021 17:39:22 +0100 Subject: [PATCH] [New Rule] Execution with Administrator Privileges via Apple Scripting (#777) * [New Rule] Execution with Administrator Privileges via Apple Scripting * Update privilege_escalation_applescript_with_admin_privs.toml * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...calation_applescript_with_admin_privs.toml | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 rules/macos/privilege_escalation_applescript_with_admin_privs.toml diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml new file mode 100644 index 000000000..cc6659e35 --- /dev/null +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -0,0 +1,53 @@ +[metadata] +creation_date = "2020/12/27" +maturity = "production" +updated_date = "2020/12/27" + +[rule] +author = ["Elastic"] +description = """ +Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator +privileges. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Apple Scripting Execution with Administrator Privileges" +references = ["https://discussions.apple.com/thread/2266150"] +risk_score = 47 +rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b" +severity = "medium" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and process.name : "osascript" and + process.command_line : "osascript*with administrator privileges" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/"