security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71186c8788b3f85dba122647e8992dcafe29c7e3
sigma-rules/rules/macos/persistence_via_atom_init_file_modification.toml
T
Justin Ibarra 59da2da474 [Rule Tuning] Ensure host information is in endpoint rule queries (#2593) 
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2023-03-05 11:41:19 -07:00

50 lines
1.5 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/01/21"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
[rule]
author = ["Elastic"]
description = """
Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the
init.coffee file that will be executed upon the Atom application opening.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence via Atom Init Script Modification"
references = [
"https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js",
"https://flight-manual.atom.io/hacking-atom/sections/the-init-file/",
]
risk_score = 21
rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7"
severity = "low"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:file and host.os.type:macos and not event.type:"deletion" and
file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1037"
name = "Boot or Logon Initialization Scripts"
reference = "https://attack.mitre.org/techniques/T1037/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink