security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2fe7336f2be3352aef12b4d7e5c1c2f8a55b1d92
sigma-rules/rules/macos/persistence_directory_services_plugins_modification.toml
T
Mika Ayenson 4534f04c0c fix typo in description (#2168) 
(cherry picked from commit fcc9cc9d8e)
2022-07-27 12:52:56 +00:00

45 lines
1.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/01/13"
maturity = "production"
updated_date = "2022/07/25"
[rule]
author = ["Elastic"]
description = """
Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches
on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the
DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Persistence via DirectoryService Plugin Modification"
references = ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"]
risk_score = 47
rule_id = "89fa6cb7-6b53-4de2-b604-648488841ab8"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and not event.type:deletion and
file.path:/Library/DirectoryServices/PlugIns/*.dsplug
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1547"
name = "Boot or Logon Autostart Execution"
reference = "https://attack.mitre.org/techniques/T1547/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink