[New Rule] Rules to detect screensaver persistence on macOS (#1531)
* add macos screensaver persistence rules * change uuid * update name Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * add T1546 Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
David French
@@ -0,0 +1,54 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/05"
|
||||
maturity = "production"
|
||||
updated_date = "2021/10/05"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's
|
||||
malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence
|
||||
on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to
|
||||
execute code each time the screensaver is activated.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Unexpected Child Process of macOS Screensaver Engine"
|
||||
note = """## Triage and analysis
|
||||
|
||||
- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such
|
||||
as downloading a payload from a server
|
||||
- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to
|
||||
identify whether the file is malicious or not.
|
||||
"""
|
||||
references = [
|
||||
"https://posts.specterops.io/saving-your-access-d562bf5bf90b",
|
||||
"https://github.com/D00MFist/PersistentJXA",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "48d7f54d-c29e-4430-93a9-9db6b5892270"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
process where event.type == "start" and process.parent.name == "ScreenSaverEngine"
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1546/"
|
||||
name = "Event Triggered Execution"
|
||||
id = "T1546"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
@@ -0,0 +1,64 @@
|
||||
[metadata]
|
||||
creation_date = "2021/10/05"
|
||||
maturity = "production"
|
||||
updated_date = "2021/10/05"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on
|
||||
a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute
|
||||
code each time the screensaver is activated.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["auditbeat-*", "logs-endpoint.events.*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Screensaver Plist File Modified by Unexpected Process"
|
||||
note = """## Triage and analysis
|
||||
|
||||
- Analyze the plist file modification event to identify whether the change was expected or not
|
||||
- Investigate the process that modified the plist file for malicious code or other suspicious behavior
|
||||
- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host"""
|
||||
references = [
|
||||
"https://posts.specterops.io/saving-your-access-d562bf5bf90b",
|
||||
"https://github.com/D00MFist/PersistentJXA",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "e6e8912f-283f-4d0d-8442-e0dcaf49944b"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "eql"
|
||||
|
||||
query = '''
|
||||
file where event.type != "deletion" and
|
||||
file.name: "com.apple.screensaver.*.plist" and
|
||||
file.path : (
|
||||
"/Users/*/Library/Preferences/ByHost/*",
|
||||
"/Library/Managed Preferences/*",
|
||||
"/System/Library/Preferences/*"
|
||||
) and
|
||||
/* Filter OS processes modifying screensaver plist files */
|
||||
not process.executable : (
|
||||
"/usr/sbin/cfprefsd",
|
||||
"/usr/libexec/xpcproxy",
|
||||
"/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor",
|
||||
"/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient"
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
reference = "https://attack.mitre.org/techniques/T1546/"
|
||||
name = "Event Triggered Execution"
|
||||
id = "T1546"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0003"
|
||||
name = "Persistence"
|
||||
reference = "https://attack.mitre.org/tactics/TA0003/"
|
||||
|
||||
Reference in New Issue
Block a user