From cfd42babd1843a8ce69151bafc32c0660b86f064 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 9 Feb 2021 10:50:39 +0100 Subject: [PATCH] [New Rule] Enumeration of Users or Groups using Built-In Commands (#848) * [New Rule] Enumeration of Users or Groups using Built-In Commands * Update discovery_users_domain_built_in_commands.toml * added search option * excluded some noisy processes * Update discovery_users_domain_built_in_commands.toml * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra --- ...covery_users_domain_built_in_commands.toml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/macos/discovery_users_domain_built_in_commands.toml diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml new file mode 100644 index 000000000..f2b9bf89c --- /dev/null +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -0,0 +1,50 @@ +[metadata] +creation_date = "2021/01/12" +maturity = "production" +updated_date = "2021/01/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of macOS built-in commands related to account or group enumeration. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Enumeration of Users or Groups via Built-in Commands" +risk_score = 21 +rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" +severity = "low" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Discovery"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and + not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", + "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and + process.name : ("ldapsearch", "dsmemberutil") or + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/"