From fb3267992196a9877a2c98055f48f683247f74cd Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 8 Feb 2021 23:02:02 +0100 Subject: [PATCH] [New Rule] Access to SystemKey via Hexdump (#815) * [New Rule] Access to SystemKey via Hexdump * Update rules/macos/credential_access_systemkey_dumping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_systemkey_dumping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_systemkey_dumping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update credential_access_systemkey_dumping.toml * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- .../credential_access_systemkey_dumping.toml | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 rules/macos/credential_access_systemkey_dumping.toml diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml new file mode 100644 index 000000000..70c7a8d3e --- /dev/null +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2020/01/07" +maturity = "production" +updated_date = "2020/01/07" + +[rule] +author = ["Elastic"] +description = """ +Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and +features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the +keychain storage data from a system to acquire credentials. +""" +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "kuery" +license = "Elastic License" +name = "SystemKey Access via Hexdump" +references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"] +risk_score = 73 +rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61" +severity = "high" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +type = "query" + +query = ''' +event.category:process and event.type:(start or process_started) and + process.name:hexdump and process.args:"/private/var/db/SystemKey" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1555" +name = "Credentials from Password Stores" +reference = "https://attack.mitre.org/techniques/T1555/" +[[rule.threat.technique.subtechnique]] +id = "T1555.001" +name = "Keychain" +reference = "https://attack.mitre.org/techniques/T1555/001/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +