[metadata]
creation_date = "2021/01/21"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"

[rule]
author = ["Elastic"]
description = """
Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the
init.coffee file that will be executed upon the Atom application opening.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence via Atom Init Script Modification"
references = [
    "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js",
    "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/",
]
risk_score = 21
rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7"
severity = "low"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.category:file and host.os.type:macos and not event.type:"deletion" and
 file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"