From ecd10b672a8a69eb592f6b92b3b75cf458bb2092 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Tue, 2 Aug 2022 14:21:00 -0400 Subject: [PATCH] [Rule Tuning] Execution with Explicit Credentials via Scripting (#2190) * add case sensitive Python process name and T1548 --- ...ge_escalation_explicit_creds_via_scripting.toml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 2668ff790..5fe38cdc1 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2022/07/27" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and process.name:"security_authtrampoline" and - process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh) + process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh) ''' @@ -40,6 +40,16 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1548" +name = "Abuse Elevation Control Mechanism" +reference = "https://attack.mitre.org/techniques/T1548/" +[[rule.threat.technique.subtechnique]] +id = "T1548.004" +name = "Elevated Execution with Prompt" +reference = "https://attack.mitre.org/techniques/T1548/004/" + + [rule.threat.tactic] id = "TA0004"