From cdbd5a651578101d05d22ce16d6ba7d997f9b467 Mon Sep 17 00:00:00 2001
From: David French <56409778+threat-punter@users.noreply.github.com>
Date: Thu, 7 Oct 2021 08:22:58 -0600
Subject: [PATCH] [New Rule] Rules to detect screensaver persistence on macOS
 (#1531)

* add macos screensaver persistence rules

* change uuid

* update name

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* add T1546

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 ...saver_engine_unexpected_child_process.toml | 54 ++++++++++++++++
 ...e_screensaver_plist_file_modification.toml | 64 +++++++++++++++++++
 2 files changed, 118 insertions(+)
 create mode 100644 rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
 create mode 100644 rules/macos/persistence_screensaver_plist_file_modification.toml

diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
new file mode 100644
index 000000000..2fc6f0861
--- /dev/null
+++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2021/10/05"
+maturity = "production"
+updated_date = "2021/10/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's
+malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence
+on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to
+execute code each time the screensaver is activated.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Unexpected Child Process of macOS Screensaver Engine"
+note = """## Triage and analysis
+
+- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such
+as downloading a payload from a server
+- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to
+identify whether the file is malicious or not.
+"""
+references = [
+    "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+    "https://github.com/D00MFist/PersistentJXA",
+]
+risk_score = 47
+rule_id = "48d7f54d-c29e-4430-93a9-9db6b5892270"
+severity = "medium"
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where event.type == "start" and process.parent.name == "ScreenSaverEngine"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1546/"
+name = "Event Triggered Execution"
+id = "T1546"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml
new file mode 100644
index 000000000..e68973b72
--- /dev/null
+++ b/rules/macos/persistence_screensaver_plist_file_modification.toml
@@ -0,0 +1,64 @@
+[metadata]
+creation_date = "2021/10/05"
+maturity = "production"
+updated_date = "2021/10/05"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on
+a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute
+code each time the screensaver is activated.
+"""
+from = "now-9m"
+index = ["auditbeat-*", "logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Screensaver Plist File Modified by Unexpected Process"
+note = """## Triage and analysis
+
+- Analyze the plist file modification event to identify whether the change was expected or not
+- Investigate the process that modified the plist file for malicious code or other suspicious behavior
+- Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host"""
+references = [
+    "https://posts.specterops.io/saving-your-access-d562bf5bf90b",
+    "https://github.com/D00MFist/PersistentJXA",
+]
+risk_score = 47
+rule_id = "e6e8912f-283f-4d0d-8442-e0dcaf49944b"
+severity = "medium"
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+file where event.type != "deletion" and
+  file.name: "com.apple.screensaver.*.plist" and
+  file.path : (
+    "/Users/*/Library/Preferences/ByHost/*",
+    "/Library/Managed Preferences/*",
+    "/System/Library/Preferences/*"
+    ) and
+  /* Filter OS processes modifying screensaver plist files */
+  not process.executable : (
+    "/usr/sbin/cfprefsd",
+    "/usr/libexec/xpcproxy",
+    "/System/Library/CoreServices/ManagedClient.app/Contents/Resources/MCXCompositor",
+    "/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient"
+    )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+reference = "https://attack.mitre.org/techniques/T1546/"
+name = "Event Triggered Execution"
+id = "T1546"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+