[Rule Tuning] Screensaver Plist File Modified by Unexpected Process (#2413)

2022-12-22 10:27:10 -05:00
parent 7cf14dd515
commit be884a1cf3
1 changed files with 22 additions and 6 deletions
@@ -3,7 +3,7 @@ creation_date = "2021/10/05"
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/08/24"
+updated_date = "2022/12/05"

 [rule]
 author = ["Elastic"]
@@ -41,11 +41,27 @@ type = "eql"
 query = '''
 file where event.type != "deletion" and
  file.name: "com.apple.screensaver.*.plist" and
-  file.path : (
-    "/Users/*/Library/Preferences/ByHost/*",
-    "/Library/Managed Preferences/*",
-    "/System/Library/Preferences/*"
-    ) and
+   file.path : (
+      "/Users/*/Library/Preferences/ByHost/*",
+      "/Library/Managed Preferences/*",
+      "/System/Library/Preferences/*"
+      ) and
+  (
+    process.code_signature.trusted == false or
+    process.code_signature.exists == false or
+
+    /* common script interpreters and abused native macOS bins */
+    process.name : (
+      "curl",
+      "mktemp",
+      "tail",
+      "funzip",
+      "python*",
+      "osascript",
+      "perl"
+      )
+   ) and
+
  /* Filter OS processes modifying screensaver plist files */
  not process.executable : (
    "/usr/sbin/cfprefsd",