From c76439923b02fac5567395e9bb2afff801404ea9 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 8 Dec 2020 12:27:03 +0100 Subject: [PATCH] [New Rule] Attempt to Remove File Quarantine Attribute (#674) * [New Rule] Attempt to Remove File Quarantine Attribute * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ...evasion_attempt_del_quarantine_attrib.toml | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml new file mode 100644 index 000000000..b10570bc8 --- /dev/null +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -0,0 +1,44 @@ +[metadata] +creation_date = "2020/08/14" +maturity = "production" +updated_date = "2020/11/03" + +[rule] +author = ["Elastic"] +description = """ +Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, +there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution +time. An adversary may disable this attribute to evade defenses. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Attempt to Remove File Quarantine Attribute" +references = [ + "https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html", +] +risk_score = 43 +rule_id = "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7" +severity = "medium" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and + process.name == "xattr" and process.args == "com.apple.quarantine" and process.args == "-d" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1089" +name = "Disabling Security Tools" +reference = "https://attack.mitre.org/techniques/T1089/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/"