security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Compression of Keychain Credentials Directories (#787)

Browse Source 
* [Rule Tuning] Access to Keychain Credentials Directories

* linted

* renmaed rule filename

* added keychain filenames 

added filenames in case of exec from keychain working directory

* extra reference

* Update rules/macos/credential_access_credentials_keychains.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_credentials_keychains.toml

* 2021

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
This commit is contained in:
Samirbous
2021-02-08 17:31:04 +01:00
committed by GitHub
parent 79b0a940c5
commit ef01430ab0
1 changed files with 20 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/credential_access_compress_credentials_keychains.toml → rules/macos/credential_access_credentials_keychains.toml
+20 -10
View File
@@ -1,31 +1,41 @@
[metadata]
creation_date = "2020/08/14"
maturity = "production"
updated_date = "2020/12/09"
updated_date = "2021/01/04"
[rule]
author = ["Elastic"]
description = """
Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way
for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords,
websites, secure notes, certificates, and Kerberos.
websites, secure notes and certificates.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
language = "eql"
license = "Elastic License"
name = "Compression of Keychain Credentials Directories"
references = ["https://objective-see.com/blog/blog_0x25.html"]
name = "Access to Keychain Credentials Directories"
references = [
"https://objective-see.com/blog/blog_0x25.html",
"https://securelist.com/calisto-trojan-for-macos/86543/",
]
risk_score = 73
rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8"
severity = "high"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
type = "query"
type = "eql"
query = '''
event.category:process and event.type:(start or process_started) and
process.name:(zip or tar or gzip or 7za or hdiutil) and
process.args:("/Library/Keychains/" or "/Network/Library/Keychains/" or "~/Library/Keychains/")
process where event.type in ("start", "process_started") and
process.args :
(
"/Users/*/Library/Keychains/*",
"/Library/Keychains/*",
"/Network/Library/Keychains/*",
"System.keychain",
"login.keychain-db",
"login.keychain"
)
'''
@@ -41,8 +51,8 @@ name = "Keychain"
reference = "https://attack.mitre.org/techniques/T1555/001/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"