security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71186c8788b3f85dba122647e8992dcafe29c7e3
sigma-rules/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
T
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-03-05 11:41:19 -07:00

68 lines
2.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/10/05"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
[rule]
author = ["Elastic"]
description = """
Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker's
malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence
on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to
execute code each time the screensaver is activated.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Unexpected Child Process of macOS Screensaver Engine"
note = """## Triage and analysis
- Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such
as a download of a payload from a server.
- Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to
identify whether the file is malicious or not.
## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://posts.specterops.io/saving-your-access-d562bf5bf90b",
"https://github.com/D00MFist/PersistentJXA",
]
risk_score = 47
rule_id = "48d7f54d-c29e-4430-93a9-9db6b5892270"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "macos" and event.type == "start" and process.parent.name == "ScreenSaverEngine"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.002"
name = "Screensaver"
reference = "https://attack.mitre.org/techniques/T1546/002/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink