security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Persistence via DirectoryService Plugin Modification (#858)

Browse Source 
* [New Rule] Persistence via DirectoryService Plugin Modification

* Update persistence_directory_services_plugins_modification.toml

* adjusted description

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Samirbous
2021-02-09 10:59:35 +01:00
committed by GitHub
parent cfd42babd1
commit aa2dcd58e7
1 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/persistence_directory_services_plugins_modification.toml
+44
View File
@@ -0,0 +1,44 @@
[metadata]
creation_date = "2021/01/13"
maturity = "production"
updated_date = "2021/01/13"
[rule]
author = ["Elastic"]
description = """
Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemonlaunches
on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the
DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.
"""
false_positives = ["Trusted DirectoryService PlugIns"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Persistence via DirectoryService Plugin Modification"
references = ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"]
risk_score = 47
rule_id = "89fa6cb7-6b53-4de2-b604-648488841ab8"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
type = "query"
query = '''
event.category:file and not event.type:deletion and
file.path:/Library/DirectoryServices/PlugIns/*.dsplug
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
reference = "https://attack.mitre.org/techniques/T1547/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"