[metadata] creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" updated_date = "2023/02/22" [rule] author = ["Elastic"] description = """ Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials. """ from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Execution with Explicit Credentials via Scripting" references = [ "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf", "https://www.manpagez.com/man/8/security_authtrampoline/", ] risk_score = 47 rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"] timestamp_override = "event.ingested" type = "query" query = ''' event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:"security_authtrampoline" and process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" [[rule.threat.technique.subtechnique]] id = "T1548.004" name = "Elevated Execution with Prompt" reference = "https://attack.mitre.org/techniques/T1548/004/" [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"