Colson Wilhoit
43d3f3b467
* update * [New] Endpoint Rule Conversion PR * fix: replace invalid rule_ids with valid UUIDs * fix: remove malformed TOML in docker_outbound_connection rule * fix: rename Security Software Discovery rule to avoid name collision * fix: remove rule using unsupported 'as event' alias syntax * fix: add timestamp_override, investigation guides, and fix MITRE mapping - Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules - Added '## Triage and analysis' investigation guides to 19 high-severity rules - Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions' * Enhance investigation guides for 19 high-severity macOS SIEM rules Enhanced investigation guides to align with existing SIEM rule format: - Added detailed context paragraphs explaining the threat and detection logic - Expanded investigation steps to 6-7 items with specific field references - Enhanced false positive analysis with 4-5 items and exclusion guidance - Added comprehensive response and remediation steps (6-7 items) Rules enhanced: - Defense Evasion: dylib_injection, gatekeeper_override, tcc_access - Persistence: shell_profile, hidden_plist, chromium_extension, startup_item, pkg_install_script, launch_agent_daemon - Execution: unusual_library_python - Lateral Movement: jamf_endpoint - Command and Control: google_calendar_c2, oast_domain, etherhiding, curl_from_app, curl_google_script, unsigned_binary - Collection: pbpaste, sensitive_file_compression * Fix investigation guide tests: add Resources tag and fix OAST title - Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides - Fixed OAST rule investigation guide title to match rule name exactly: 'Network Connection to OAST Domain via Script Interpreter' * Remove duplicate detection_rules 2 folder from PR * Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule Changes: - Convert AWS S3 connection rule to ES|QL with aggregation - Consolidate Python + Node non-standard port rules into single script interpreter rule - Fix Gatekeeper rule to use correct gatekeeper_override event - Simplify Gatekeeper rule to single event per Samir's suggestion - Convert TCC access rule to ES|QL with COUNT_DISTINCT - Tune cross-platform security software grep rule (add egrep, pgrep, more tools) - Add node to system/network config check rule Deleted duplicates (covered by existing cross-platform rules): - Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain) - Security software via grep (tuned cross-platform version instead) - VM fingerprinting via grep (duplicate of cross-platform version) * fix: ESQL formatting and wildcard versioning patterns - Add Esql. prefix to computed fields in ESQL rules - Add KEEP statements to ESQL rules for proper field visibility - Add perl* wildcard to OAST domain rule for version consistency - Add ruby* wildcard to Etherhiding C2 rule for version consistency - Fix regex pattern in TCC rule (perl.*/ruby.* for versioning) * fix: remove duplicate Script Interpreter rule Delete command_and_control_suspicious_outbound_python_network.toml which is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml (same rule_id: aa1e007a-2997-4247-b048-dd9344742560) * fix: add timestamp_override to Pbpaste and Gatekeeper rules - collection_pbpaste_execution_via_unusual_parent.toml - defense_evasion_gatekeeper_override_and_execution.toml EQL/KQL rules require timestamp_override: event.ingested * fix: remove perl from Script Interpreter rule Perl is covered by the broader perl_outbound_network_connection rule which catches perl → any external IP (not just non-standard ports). Perl network connections on macOS are rare and inherently suspicious regardless of port. * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_manual_chromium_extension_loading.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_startup_item_plist_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Fix ESQL syntax error in AWS S3 connection rule Remove trailing comma before BY clause in STATS command that caused a parsing_exception. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
99 lines
5.4 KiB
TOML
99 lines
5.4 KiB
TOML
[metadata]
|
|
creation_date = "2026/01/30"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
updated_date = "2026/01/30"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Detects when a Python process loads an unusual library from within the user's home directory where the file
|
|
is not a standard .so or .dylib file. This technique has been observed in APT campaigns by the Lazarus Group
|
|
and Slow Pisces to load malicious payloads.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.library-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Unusual Library Load via Python"
|
|
references = [
|
|
"https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/",
|
|
"https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34"
|
|
]
|
|
risk_score = 73
|
|
rule_id = "ab9a334a-f2c3-4f49-879f-480de71020d3"
|
|
severity = "high"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: macOS",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Execution",
|
|
"Data Source: Elastic Defend",
|
|
"Resources: Investigation Guide"
|
|
]
|
|
timestamp_override = "event.ingested"
|
|
type = "eql"
|
|
note = """## Triage and analysis
|
|
|
|
> **Disclaimer**:
|
|
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
|
|
|
### Investigating Unusual Library Load via Python
|
|
|
|
Python's dynamic library loading capabilities allow code to import and execute shared libraries at runtime. Sophisticated threat actors, including APT groups like Lazarus and Slow Pisces, abuse this functionality to load malicious payloads disguised as Python modules from user directories. This detection rule identifies when Python loads libraries from user home directories that don't follow standard naming conventions (.so or .dylib), indicating potential malicious module loading.
|
|
|
|
### Possible investigation steps
|
|
|
|
- Examine the dll.path field to identify the full path of the library being loaded and determine if it is in an expected location for legitimate Python packages.
|
|
- Analyze the dll.name to assess whether the file extension matches known malicious patterns or unusual naming conventions not typical for Python modules.
|
|
- Calculate the hash of the loaded library file and search threat intelligence databases for known malicious indicators associated with Lazarus or Slow Pisces campaigns.
|
|
- Review the process.executable and process.command_line to understand which Python script or application initiated the library load.
|
|
- Examine the parent process hierarchy using process.parent.executable to trace back to the initial execution vector that launched the Python process.
|
|
- Check for other files in the same directory as the loaded library that may be additional malware components or supporting payloads.
|
|
- Review file creation timestamps to determine when the suspicious library was placed on the system and correlate with other security events.
|
|
|
|
### False positive analysis
|
|
|
|
- Some Python applications dynamically extract or compile extension modules during runtime, particularly scientific computing packages. Verify if the application is known to exhibit this behavior.
|
|
- Development environments and IDEs may use unconventional library paths during testing and debugging. Confirm with development teams if such activities are expected.
|
|
- PyQt and similar UI frameworks may load additional framework files from user directories. These are partially excluded in the query but may require additional tuning.
|
|
- Pyenv and virtual environment setups may have libraries in non-standard locations. Review the paths against known virtual environment structures.
|
|
|
|
### Response and remediation
|
|
|
|
- Immediately terminate the Python process if the loaded library is confirmed or suspected to be malicious.
|
|
- Quarantine the suspicious library file for forensic analysis and malware reverse engineering.
|
|
- Scan the system for additional indicators of compromise associated with the identified threat actor campaign.
|
|
- Review the Python script or application that loaded the library and assess whether it has been modified or replaced.
|
|
- Check for persistence mechanisms that may reload the malicious library on system restart or user login.
|
|
- Search for similar library loading patterns across other systems in the environment to identify potential lateral movement.
|
|
- Reset any credentials or tokens that may have been exposed through the compromised Python process.
|
|
- Escalate to the incident response team if APT-level compromise is suspected.
|
|
"""
|
|
query = '''
|
|
library where host.os.type == "macos" and event.action == "load" and
|
|
dll.path like "/Users/*" and
|
|
process.name like "python*" and
|
|
not dll.name like ("*.so", "*.dylib", "Python", "*.*_extension", "*.dylib.*") and
|
|
not dll.path like ("*/site-packages/*/Qt*/lib/Qt*.framework/Versions/*/Qt*",
|
|
"/Users/*/.pyenv/versions/*/lib/python*/site-packages/*")
|
|
'''
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[rule.threat.tactic]
|
|
name = "Execution"
|
|
id = "TA0002"
|
|
reference = "https://attack.mitre.org/tactics/TA0002/"
|
|
|
|
[[rule.threat.technique]]
|
|
name = "Command and Scripting Interpreter"
|
|
id = "T1059"
|
|
reference = "https://attack.mitre.org/techniques/T1059/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
name = "Python"
|
|
id = "T1059.006"
|
|
reference = "https://attack.mitre.org/techniques/T1059/006/"
|