Colson Wilhoit
43d3f3b467
* update * [New] Endpoint Rule Conversion PR * fix: replace invalid rule_ids with valid UUIDs * fix: remove malformed TOML in docker_outbound_connection rule * fix: rename Security Software Discovery rule to avoid name collision * fix: remove rule using unsupported 'as event' alias syntax * fix: add timestamp_override, investigation guides, and fix MITRE mapping - Added timestamp_override = 'event.ingested' to 15 non-sequence EQL rules - Added '## Triage and analysis' investigation guides to 19 high-severity rules - Fixed T1176 technique name from 'Browser Extensions' to 'Software Extensions' * Enhance investigation guides for 19 high-severity macOS SIEM rules Enhanced investigation guides to align with existing SIEM rule format: - Added detailed context paragraphs explaining the threat and detection logic - Expanded investigation steps to 6-7 items with specific field references - Enhanced false positive analysis with 4-5 items and exclusion guidance - Added comprehensive response and remediation steps (6-7 items) Rules enhanced: - Defense Evasion: dylib_injection, gatekeeper_override, tcc_access - Persistence: shell_profile, hidden_plist, chromium_extension, startup_item, pkg_install_script, launch_agent_daemon - Execution: unusual_library_python - Lateral Movement: jamf_endpoint - Command and Control: google_calendar_c2, oast_domain, etherhiding, curl_from_app, curl_google_script, unsigned_binary - Collection: pbpaste, sensitive_file_compression * Fix investigation guide tests: add Resources tag and fix OAST title - Added 'Resources: Investigation Guide' tag to all 19 rules with investigation guides - Fixed OAST rule investigation guide title to match rule name exactly: 'Network Connection to OAST Domain via Script Interpreter' * Remove duplicate detection_rules 2 folder from PR * Address Samir's PR feedback: consolidate rules, convert to ES|QL, fix Gatekeeper rule Changes: - Convert AWS S3 connection rule to ES|QL with aggregation - Consolidate Python + Node non-standard port rules into single script interpreter rule - Fix Gatekeeper rule to use correct gatekeeper_override event - Simplify Gatekeeper rule to single event per Samir's suggestion - Convert TCC access rule to ES|QL with COUNT_DISTINCT - Tune cross-platform security software grep rule (add egrep, pgrep, more tools) - Add node to system/network config check rule Deleted duplicates (covered by existing cross-platform rules): - Docker suspicious TLD rule (covered by unusual_connection_to_suspicious_top_level_domain) - Security software via grep (tuned cross-platform version instead) - VM fingerprinting via grep (duplicate of cross-platform version) * fix: ESQL formatting and wildcard versioning patterns - Add Esql. prefix to computed fields in ESQL rules - Add KEEP statements to ESQL rules for proper field visibility - Add perl* wildcard to OAST domain rule for version consistency - Add ruby* wildcard to Etherhiding C2 rule for version consistency - Fix regex pattern in TCC rule (perl.*/ruby.* for versioning) * fix: remove duplicate Script Interpreter rule Delete command_and_control_suspicious_outbound_python_network.toml which is an exact duplicate of command_and_control_script_interpreter_connection_to_non_standard_port.toml (same rule_id: aa1e007a-2997-4247-b048-dd9344742560) * fix: add timestamp_override to Pbpaste and Gatekeeper rules - collection_pbpaste_execution_via_unusual_parent.toml - defense_evasion_gatekeeper_override_and_execution.toml EQL/KQL rules require timestamp_override: event.ingested * fix: remove perl from Script Interpreter rule Perl is covered by the broader perl_outbound_network_connection rule which catches perl → any external IP (not just non-standard ports). Perl network connections on macOS are rare and inherently suspicious regardless of port. * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/command_and_control_aws_s3_connection_via_script.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/defense_evasion_suspicious_tcc_access_granted.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_manual_chromium_extension_loading.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_startup_item_plist_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/persistence_suspicious_launch_agent_or_launch_daemon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Fix ESQL syntax error in AWS S3 connection rule Remove trailing comma before BY clause in STATS command that caused a parsing_exception. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Cursor <cursoragent@cursor.com>
111 lines
5.6 KiB
TOML
111 lines
5.6 KiB
TOML
[metadata]
|
|
creation_date = "2026/01/30"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
updated_date = "2026/01/30"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Detects when curl is executed via a shell profile upon login. This indicates a curl command was added to the
|
|
user's shell profile (like .zshrc or .bashrc) and is executed automatically at login, which could be used for
|
|
persistence and payload delivery.
|
|
"""
|
|
from = "now-9m"
|
|
index = ["logs-endpoint.events.process-*"]
|
|
language = "eql"
|
|
license = "Elastic License v2"
|
|
name = "Curl Execution via Shell Profile"
|
|
risk_score = 73
|
|
rule_id = "afdca1e0-0f8a-4fcf-9e1e-95e09791e3cd"
|
|
severity = "high"
|
|
tags = [
|
|
"Domain: Endpoint",
|
|
"OS: macOS",
|
|
"Use Case: Threat Detection",
|
|
"Tactic: Persistence",
|
|
"Tactic: Command and Control",
|
|
"Data Source: Elastic Defend",
|
|
"Resources: Investigation Guide"
|
|
]
|
|
type = "eql"
|
|
note = """## Triage and analysis
|
|
|
|
> **Disclaimer**:
|
|
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
|
|
|
|
### Investigating Curl Execution via Shell Profile
|
|
|
|
Shell profile scripts (.zshrc, .bashrc, .bash_profile, .zprofile) execute automatically when users open new terminal sessions, making them valuable persistence mechanisms. Threat actors inject curl commands into these profiles to download and execute additional payloads each time the user opens a terminal, creating a reliable beacon mechanism that persists across system reboots. This detection rule identifies curl execution with download flags that originates directly from shell profile execution at login.
|
|
|
|
### Possible investigation steps
|
|
|
|
- Review the shell profile files (.zshrc, .bashrc, .bash_profile, .zprofile) for the affected user to identify the injected curl command and its destination URL.
|
|
- Analyze the process.args to determine the full curl command including output destination (-o, --output) and any other flags used.
|
|
- Investigate the destination URL in threat intelligence databases to determine if it is associated with known malicious infrastructure.
|
|
- Review the file modification timestamps of the shell profile files to determine when the malicious entry was added.
|
|
- Check browser history, email attachments, and download logs to understand how the attacker initially gained access to modify the profile.
|
|
- Examine the user.name associated with the modified profile to assess the scope of potential data access.
|
|
- Search for downloaded files on the system that may have been retrieved by the curl command and analyze their contents.
|
|
|
|
### False positive analysis
|
|
|
|
- Developers may add curl commands to shell profiles for convenience, such as fetching daily updates or checking API endpoints. Verify the URL destination and purpose with the user.
|
|
- Some shell customization frameworks and plugins use curl to update themselves on shell startup. Review common frameworks like Oh My Zsh for expected behavior.
|
|
- Enterprise tools may configure shell profiles for authentication or environment setup. Confirm with IT operations if such configurations are expected.
|
|
- Elastic infrastructure URLs are already excluded in the query to reduce noise from legitimate Elastic tooling.
|
|
|
|
### Response and remediation
|
|
|
|
- Remove the malicious curl command from the affected shell profile file immediately.
|
|
- Block the destination URL at the network perimeter to prevent payload delivery.
|
|
- Search for any files that were downloaded by the curl command and quarantine or remove them.
|
|
- Review user credentials and tokens that may have been exposed, as shell sessions often contain sensitive environment variables.
|
|
- Investigate how the shell profile was modified to identify the initial access vector.
|
|
- Check other user accounts on the system for similar shell profile modifications.
|
|
- Reset the user's shell profile from a known-good backup or template if available.
|
|
- Monitor for curl execution from shell profiles across the environment to identify additional compromised systems.
|
|
"""
|
|
query = '''
|
|
sequence with maxspan=10s
|
|
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
|
|
process.name in ("bash", "zsh", "sh") and
|
|
process.args in ("-zsh", "-sh", "-bash") and process.args_count == 1 and
|
|
process.parent.name == "login"] by process.entity_id
|
|
[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
|
|
process.name in ("curl", "nscurl") and
|
|
process.args in ("-o", "--output", "--download", "-dl", "-dir", "--directory", "-F", "--form") and
|
|
not process.args like ("https://upload.elastic.co*", "https://vault-ci-prod.elastic.dev", "https://artifacts.elastic.co*")] by process.parent.entity_id
|
|
'''
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[rule.threat.tactic]
|
|
name = "Persistence"
|
|
id = "TA0003"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|
|
[[rule.threat.technique]]
|
|
name = "Event Triggered Execution"
|
|
id = "T1546"
|
|
reference = "https://attack.mitre.org/techniques/T1546/"
|
|
|
|
[[rule.threat.technique.subtechnique]]
|
|
name = "Unix Shell Configuration Modification"
|
|
id = "T1546.004"
|
|
reference = "https://attack.mitre.org/techniques/T1546/004/"
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[rule.threat.tactic]
|
|
name = "Command and Control"
|
|
id = "TA0011"
|
|
reference = "https://attack.mitre.org/tactics/TA0011/"
|
|
|
|
[[rule.threat.technique]]
|
|
name = "Ingress Tool Transfer"
|
|
id = "T1105"
|
|
reference = "https://attack.mitre.org/techniques/T1105/"
|