From 7d4bd35bf0846f4dbcc21e91b7c6734744ab4c15 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 9 Feb 2021 22:04:14 +0100 Subject: [PATCH] =?UTF-8?q?[New=20Rule]=20Potential=20Privileges=20Escalat?= =?UTF-8?q?ion=20via=20Root=20Crontab=20File=20Modi=E2=80=A6=20(#919)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [New Rule] Potential Privileges Escalation via Root Crontab File Modification * Update privilege_escalation_root_crontab_filemod.toml * Update rules/macos/privilege_escalation_root_crontab_filemod.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_root_crontab_filemod.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * lint rule Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...ilege_escalation_root_crontab_filemod.toml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/macos/privilege_escalation_root_crontab_filemod.toml diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml new file mode 100644 index 000000000..7c9a7f878 --- /dev/null +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2021/01/27" +maturity = "production" +updated_date = "2021/01/27" + +[rule] +author = ["Elastic"] +description = """ +Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root +privileges by exploiting privileged file write or move related vulnerabilities. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "Potential Privilege Escalation via Root Crontab File Modification" +references = [ + "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", + "https://www.exploit-db.com/exploits/42146", +] +risk_score = 73 +rule_id = "0ff84c42-873d-41a2-a4ed-08d74d352d01" +severity = "high" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"] +type = "query" + +query = ''' +event.category:file and not event.type:deletion and + file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1053" +name = "Scheduled Task/Job" +reference = "https://attack.mitre.org/techniques/T1053/" +[[rule.threat.technique.subtechnique]] +id = "T1053.003" +name = "Cron" +reference = "https://attack.mitre.org/techniques/T1053/003/" + + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" +