[metadata]
creation_date = "2021/01/21"
maturity = "production"
updated_date = "2021/03/03"

[rule]
author = ["Elastic"]
description = """
Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the
init.coffee file that will be executed upon the Atom application opening.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence via Atom Init Script Modification"
references = [
    "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js",
    "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/",
]
risk_score = 21
rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7"
severity = "low"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.category:"file" and not event.type:"deletion" and
 file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root
'''