From 32975e51552bdfc2c59e5517f3757404c8495a1e Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 5 Feb 2025 15:40:27 +0100 Subject: [PATCH 1/7] [Rule Tuning] Port Scan Rules (#4443) --- ...very_potential_network_sweep_detected.toml | 25 ++++++++----------- ...iscovery_potential_port_scan_detected.toml | 22 ++++++++-------- ...very_potential_syn_port_scan_detected.toml | 23 ++++++++--------- 3 files changed, 31 insertions(+), 39 deletions(-) diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 540123e9d5d..9de35009cea 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/05/17" -integration = ["endpoint", "network_traffic", "panw"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,10 +11,10 @@ This rule identifies a potential network sweep. A network sweep is a method used identifying active hosts, open ports, and available services to gather information on vulnerabilities and weaknesses. This reconnaissance helps them plan subsequent attacks and exploit potential entry points for unauthorized access, data theft, or other malicious activities. This rule proposes threshold logic to check for connection attempts from one -source host to 10 or more destination hosts on commonly used network services. +source host to 100 or more destination hosts on commonly used network services. """ from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"] +index = ["packetbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -27,16 +27,14 @@ tags = [ "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", - "Data Source: Elastic Defend", "Data Source: PAN-OS", "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "threshold" - query = ''' -destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and -source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +event.action:network_flow and destination.port:(21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and +source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' note = """## Triage and analysis @@ -80,32 +78,32 @@ Network sweeps are reconnaissance techniques where attackers scan networks to id - Document and report: Record all findings, actions taken, and lessons learned in an incident report to inform future response strategies and improve network defenses.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -114,8 +112,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.ip" value = 100 - - diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 67717962f28..381b9682fa7 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/05/17" -integration = ["endpoint", "network_traffic", "panw"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,10 +12,10 @@ target system or network for open ports, allowing them to identify available ser mapping out the open ports, attackers can gather critical information to plan and execute targeted attacks, gaining unauthorized access, compromising security, and potentially leading to data breaches, unauthorized control, or further exploitation of the targeted system or network. This rule proposes threshold logic to check for connection attempts from -one source host to 20 or more destination ports. +one source host to 250 or more destination ports. """ from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*", "logs-panw.panos*"] +index = ["logs-network_traffic.*", "packetbeat-*", "filebeat-*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -28,7 +28,6 @@ tags = [ "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", - "Data Source: Elastic Defend", "Data Source: PAN-OS", "Resources: Investigation Guide" ] @@ -36,7 +35,7 @@ timestamp_override = "event.ingested" type = "threshold" query = ''' -destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +event.action:network_flow and destination.port:* and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' note = """## Triage and analysis @@ -74,32 +73,32 @@ Network scanning is a technique used to identify open ports and services on a ne - Escalate to security operations: If the scan is part of a larger attack or if sensitive data is at risk, escalate the incident to the security operations team for further analysis and response. - Review and enhance detection capabilities: Evaluate the effectiveness of current detection mechanisms and consider integrating additional threat intelligence sources to improve early detection of similar threats.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -108,8 +107,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.port" value = 250 - - diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 00a1a878cbb..0266773a647 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/05/17" -integration = ["endpoint", "network_traffic", "panw"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,10 +12,10 @@ target network for open ports by sending SYN packets to multiple ports and obser method to identify potential entry points or services that may be vulnerable to exploitation, allowing them to launch targeted attacks or gain unauthorized access to the system or network, compromising its security and potentially leading to data breaches or further malicious activities. This rule proposes threshold logic to check for connection attempts -from one source host to 10 or more destination ports using 2 or less packets per port. +from one source host to 250 or more destination ports using 2 or less packets per port. """ from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"] +index = ["logs-network_traffic.*", "packetbeat-*", "filebeat-*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -28,15 +28,13 @@ tags = [ "Tactic: Discovery", "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", - "Data Source: Elastic Defend", "Data Source: PAN-OS", "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "threshold" - query = ''' -destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) +event.action:network_flow and destination.port:* and network.packets <= 2 and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' note = """## Triage and analysis @@ -74,32 +72,32 @@ SYN-based port scanning is a reconnaissance technique where attackers send SYN p - Update intrusion detection and prevention systems to enhance detection capabilities for similar SYN-based port scanning activities. - Review and update network segmentation policies to limit the exposure of critical services and systems to internal reconnaissance activities.""" - [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1046" name = "Network Service Discovery" reference = "https://attack.mitre.org/techniques/T1046/" - [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + [[rule.threat]] framework = "MITRE ATT&CK" + [[rule.threat.technique]] id = "T1595" name = "Active Scanning" reference = "https://attack.mitre.org/techniques/T1595/" + [[rule.threat.technique.subtechnique]] id = "T1595.001" name = "Scanning IP Blocks" reference = "https://attack.mitre.org/techniques/T1595/001/" - - [rule.threat.tactic] id = "TA0043" name = "Reconnaissance" @@ -108,8 +106,7 @@ reference = "https://attack.mitre.org/tactics/TA0043/" [rule.threshold] field = ["destination.ip", "source.ip"] value = 1 + [[rule.threshold.cardinality]] field = "destination.port" value = 250 - - From 6fa8a862a2cb00b6402735681a7a70934ffe8253 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 5 Feb 2025 16:18:51 +0100 Subject: [PATCH 2/7] [New Hunt] General Kernel Manipulation (#4403) * [New Hunt] General Kernel Manipulation * Update index.yml --- hunting/index.md | 1 + hunting/index.yml | 5 + ...persistence_general_kernel_manipulation.md | 98 +++++++++++++++++++ ...rsistence_general_kernel_manipulation.toml | 73 ++++++++++++++ 4 files changed, 177 insertions(+) create mode 100644 hunting/linux/docs/persistence_general_kernel_manipulation.md create mode 100644 hunting/linux/queries/persistence_general_kernel_manipulation.toml diff --git a/hunting/index.md b/hunting/index.md index edd8d5d6f11..49fb60795d1 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -30,6 +30,7 @@ Here are the queries currently available: - [Defense Evasion via Capitalized Process Execution](./linux/docs/defense_evasion_via_capitalized_process_execution.md) (ES|QL) - [Drivers Load with Low Occurrence Frequency](./linux/docs/persistence_via_driver_load_with_low_occurrence_frequency.md) (ES|QL) - [Excessive SSH Network Activity to Unique Destinations](./linux/docs/excessive_ssh_network_activity_unique_destinations.md) (ES|QL) +- [General Kernel Manipulation](./linux/docs/persistence_general_kernel_manipulation.md) (ES|QL) - [Git Hook/Pager Persistence](./linux/docs/persistence_via_git_hook_pager.md) (ES|QL) - [Hidden Process Execution](./linux/docs/defense_evasion_via_hidden_process_execution.md) (ES|QL) - [Logon Activity by Source IP](./linux/docs/login_activity_by_source_address.md) (ES|QL) diff --git a/hunting/index.yml b/hunting/index.yml index 9c8cdea3f5d..e021274fe00 100644 --- a/hunting/index.yml +++ b/hunting/index.yml @@ -250,6 +250,11 @@ linux: path: ./linux/queries/persistence_via_malicious_docker_container.toml mitre: - T1610 + 9997c6fb-4e01-477f-9011-fc7fc6b000b6: + name: General Kernel Manipulation + path: ./linux/queries/persistence_general_kernel_manipulation.toml + mitre: + - T1542 1206f5e2-aee6-4e5c-bda0-718fe440b1cf: name: Persistence via Initramfs path: ./linux/queries/persistence_via_initramfs.toml diff --git a/hunting/linux/docs/persistence_general_kernel_manipulation.md b/hunting/linux/docs/persistence_general_kernel_manipulation.md new file mode 100644 index 00000000000..9f9d6b9c9cf --- /dev/null +++ b/hunting/linux/docs/persistence_general_kernel_manipulation.md @@ -0,0 +1,98 @@ +# General Kernel Manipulation + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt focuses on detecting general kernel and bootloader manipulations on Linux systems, which are critical for system integrity and security. Attackers may target kernel components, bootloader configurations, or secure boot settings to establish persistence or compromise the system at a low level. By monitoring changes to `/boot/` files, examining kernel and platform information, and detecting processes spawned by `systemd`, this hunt provides visibility into potential kernel and boot-related threats. The combination of ES|QL and OSQuery queries ensures robust detection and hunting capabilities for kernel manipulation and persistence attempts. + +- **UUID:** `9997c6fb-4e01-477f-9011-fc7fc6b000b6` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) +- **Language:** `[ES|QL, SQL]` +- **Source File:** [General Kernel Manipulation](../queries/persistence_general_kernel_manipulation.toml) + +## Query + +```sql +sql +from logs-endpoint.events.file-* +| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/boot/*" and +not file.extension in ("dpkg-new", "swp") +| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable +| where agent_count <= 3 and cc <= 5 +| sort cc asc +| limit 100 +``` + +```sql +sql +from logs-endpoint.events.process-* +| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, process.executable, process.command_line, process.parent.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.name == "systemd" +| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.command_line +| where agent_count <= 3 and cc < 25 +| sort cc asc +| limit 100 +``` + +```sql +sql +SELECT + f.filename, + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f +LEFT JOIN + users u ON f.uid = u.uid +LEFT JOIN + groups g ON f.gid = g.gid +WHERE f.path LIKE '/boot/%' +AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days +``` + +```sql +sql +SELECT * FROM kernel_info; +``` + +```sql +sql +SELECT * FROM secureboot; +``` + +```sql +sql +SELECT * FROM platform_info; +``` + +```sql +sql +SELECT * FROM kernel_keys; +``` + +## Notes + +- Tracks file creations and modifications within the `/boot/` directory to identify potential tampering with kernel or bootloader files, such as the kernel image, GRUB configuration, or Initramfs. +- Monitors processes spawned by `systemd` with the `already_running` action to detect unusual behavior linked to kernel manipulations. +- Retrieves metadata for kernel and boot-related files, including file ownership, last access times, and modification timestamps, to identify unauthorized changes. +- Leverages OSQuery tables like `kernel_info`, `secureboot`, `platform_info`, and `kernel_keys` to gain insights into the system's boot and kernel integrity, ensuring comprehensive coverage of kernel manipulation activities. +- Helps identify rare or anomalous events by providing statistics on processes and file activities, enabling analysts to detect subtle signs of compromise or persistence. + +## MITRE ATT&CK Techniques + +- [T1542](https://attack.mitre.org/techniques/T1542) + +## License + +- `Elastic License v2` diff --git a/hunting/linux/queries/persistence_general_kernel_manipulation.toml b/hunting/linux/queries/persistence_general_kernel_manipulation.toml new file mode 100644 index 00000000000..92e9208f945 --- /dev/null +++ b/hunting/linux/queries/persistence_general_kernel_manipulation.toml @@ -0,0 +1,73 @@ +[hunt] +author = "Elastic" +description = """ +This hunt focuses on detecting general kernel and bootloader manipulations on Linux systems, which are critical for system integrity and security. Attackers may target kernel components, bootloader configurations, or secure boot settings to establish persistence or compromise the system at a low level. By monitoring changes to `/boot/` files, examining kernel and platform information, and detecting processes spawned by `systemd`, this hunt provides visibility into potential kernel and boot-related threats. The combination of ES|QL and OSQuery queries ensures robust detection and hunting capabilities for kernel manipulation and persistence attempts. +""" +integration = ["endpoint"] +uuid = "9997c6fb-4e01-477f-9011-fc7fc6b000b6" +name = "General Kernel Manipulation" +language = ["ES|QL", "SQL"] +license = "Elastic License v2" +notes = [ + "Tracks file creations and modifications within the `/boot/` directory to identify potential tampering with kernel or bootloader files, such as the kernel image, GRUB configuration, or Initramfs.", + "Monitors processes spawned by `systemd` with the `already_running` action to detect unusual behavior linked to kernel manipulations.", + "Retrieves metadata for kernel and boot-related files, including file ownership, last access times, and modification timestamps, to identify unauthorized changes.", + "Leverages OSQuery tables like `kernel_info`, `secureboot`, `platform_info`, and `kernel_keys` to gain insights into the system's boot and kernel integrity, ensuring comprehensive coverage of kernel manipulation activities.", + "Helps identify rare or anomalous events by providing statistics on processes and file activities, enabling analysts to detect subtle signs of compromise or persistence." +] +mitre = ["T1542"] +query = [ +'''sql +from logs-endpoint.events.file-* +| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type in ("creation", "change") and file.path like "/boot/*" and +not file.extension in ("dpkg-new", "swp") +| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable +| where agent_count <= 3 and cc <= 5 +| sort cc asc +| limit 100 +''', +'''sql +from logs-endpoint.events.process-* +| keep @timestamp, host.os.type, event.type, event.action, process.parent.name, process.executable, process.command_line, process.parent.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type == "info" and event.action == "already_running" and process.parent.name == "systemd" +| stats cc = count(), agent_count = count_distinct(agent.id) by process.executable, process.command_line +| where agent_count <= 3 and cc < 25 +| sort cc asc +| limit 100 +''', +'''sql +SELECT + f.filename, + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f +LEFT JOIN + users u ON f.uid = u.uid +LEFT JOIN + groups g ON f.gid = g.gid +WHERE f.path LIKE '/boot/%' +AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days +''', +'''sql +SELECT * FROM kernel_info; +''', +'''sql +SELECT * FROM secureboot; +''', +'''sql +SELECT * FROM platform_info; +''', +'''sql +SELECT * FROM kernel_keys; +''', +] From 1aea556998e30df7976b824b8c318c6f1314e722 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 5 Feb 2025 16:29:47 +0100 Subject: [PATCH 3/7] [New Hunt] Persistence via PolicyKit (#4406) * [New Hunt] Persistence via PolicyKit * ++ --- hunting/index.md | 1 + hunting/index.yml | 5 ++ .../linux/docs/persistence_via_policykit.md | 79 +++++++++++++++++++ .../queries/persistence_via_policykit.toml | 64 +++++++++++++++ 4 files changed, 149 insertions(+) create mode 100644 hunting/linux/docs/persistence_via_policykit.md create mode 100644 hunting/linux/queries/persistence_via_policykit.toml diff --git a/hunting/index.md b/hunting/index.md index 49fb60795d1..a8a22763c08 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -51,6 +51,7 @@ Here are the queries currently available: - [Persistence via Message-of-the-Day](./linux/docs/persistence_via_message_of_the_day.md) (ES|QL) - [Persistence via Package Manager](./linux/docs/persistence_via_package_manager.md) (ES|QL) - [Persistence via Pluggable Authentication Modules (PAM)](./linux/docs/persistence_via_pluggable_authentication_module.md) (ES|QL) +- [Persistence via PolicyKit](./linux/docs/persistence_via_policykit.md) (ES|QL) - [Persistence via SSH Configurations and/or Keys](./linux/docs/persistence_via_ssh_configurations_and_keys.md) (ES|QL) - [Persistence via System V Init](./linux/docs/persistence_via_sysv_init.md) (ES|QL) - [Persistence via Systemd (Timers)](./linux/docs/persistence_via_systemd_timers.md) (ES|QL) diff --git a/hunting/index.yml b/hunting/index.yml index e021274fe00..20430336e6a 100644 --- a/hunting/index.yml +++ b/hunting/index.yml @@ -250,6 +250,11 @@ linux: path: ./linux/queries/persistence_via_malicious_docker_container.toml mitre: - T1610 + 4e8a17d3-9139-4b45-86d5-79e8d1eba71e: + name: Persistence via PolicyKit + path: ./linux/queries/persistence_via_policykit.toml + mitre: + - T1543 9997c6fb-4e01-477f-9011-fc7fc6b000b6: name: General Kernel Manipulation path: ./linux/queries/persistence_general_kernel_manipulation.toml diff --git a/hunting/linux/docs/persistence_via_policykit.md b/hunting/linux/docs/persistence_via_policykit.md new file mode 100644 index 00000000000..590d89bb252 --- /dev/null +++ b/hunting/linux/docs/persistence_via_policykit.md @@ -0,0 +1,79 @@ +# Persistence via PolicyKit + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies potential persistence mechanisms leveraging PolicyKit (Polkit) on Linux systems. PolicyKit is a system service used to manage system-wide privileges and is often targeted by attackers to escalate privileges or maintain persistence. By monitoring file creations and modifications in key PolicyKit directories and analyzing metadata for Polkit-related files, this hunt helps detect unauthorized changes or suspicious activities that may indicate malicious use of PolicyKit. It provides detailed insights into potentially compromised PolicyKit configurations, enabling analysts to identify and respond to this persistence technique. + +- **UUID:** `4e8a17d3-9139-4b45-86d5-79e8d1eba71e` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) +- **Language:** `[ES|QL, SQL]` +- **Source File:** [Persistence via PolicyKit](../queries/persistence_via_policykit.toml) + +## Query + +```sql +sql +from logs-endpoint.events.file-* +| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type in ("creation", "change") and ( + file.path like "/etc/polkit-1/rules.d/*" or + file.path like "/usr/share/polkit-1/rules.d/*" or + file.path like "/usr/share/polkit-1/actions/*" or + file.path like "/etc/polkit-1/localauthority/*" or + file.path like "/var/lib/polkit-1/localauthority/*" +) and not ( + file.extension in ("swp", "dpkg-new") or + process.name in ("dnf", "yum", "dpkg") +) +| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable +| where agent_count <= 3 +| sort cc asc +| limit 100 +``` + +```sql +sql +SELECT + f.filename, + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f +LEFT JOIN + users u ON f.uid = u.uid +LEFT JOIN + groups g ON f.gid = g.gid +WHERE ( + f.path = '/etc/polkit-1/rules.d/%' + OR f.path LIKE '/usr/share/polkit-1/rules.d/%' + OR f.path LIKE '/usr/share/polkit-1/actions/%' + OR f.path LIKE '/etc/polkit-1/localauthority/%%' + OR f.path LIKE '/var/lib/polkit-1/localauthority/%%' + ) +AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days +``` + +## Notes + +- Tracks file creations and modifications in PolicyKit-related directories such as `/etc/polkit-1/rules.d/`, `/usr/share/polkit-1/rules.d/`, `/usr/share/polkit-1/actions/`, and others to detect unauthorized additions or tampering. +- Retrieves metadata for PolicyKit configuration files, including ownership, last access times, and modification timestamps, to identify unauthorized or suspicious changes. +- Focuses on recent file modifications within the last 7 days to provide timely detection of potential malicious activities. +- Helps detect rare or anomalous file modifications by correlating process execution with file activities, enabling analysts to identify subtle signs of compromise. + +## MITRE ATT&CK Techniques + +- [T1543](https://attack.mitre.org/techniques/T1543) + +## License + +- `Elastic License v2` diff --git a/hunting/linux/queries/persistence_via_policykit.toml b/hunting/linux/queries/persistence_via_policykit.toml new file mode 100644 index 00000000000..b8dabe2f990 --- /dev/null +++ b/hunting/linux/queries/persistence_via_policykit.toml @@ -0,0 +1,64 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies potential persistence mechanisms leveraging PolicyKit (Polkit) on Linux systems. PolicyKit is a system service used to manage system-wide privileges and is often targeted by attackers to escalate privileges or maintain persistence. By monitoring file creations and modifications in key PolicyKit directories and analyzing metadata for Polkit-related files, this hunt helps detect unauthorized changes or suspicious activities that may indicate malicious use of PolicyKit. It provides detailed insights into potentially compromised PolicyKit configurations, enabling analysts to identify and respond to this persistence technique. +""" +integration = ["endpoint"] +uuid = "4e8a17d3-9139-4b45-86d5-79e8d1eba71e" +name = "Persistence via PolicyKit" +language = ["ES|QL", "SQL"] +license = "Elastic License v2" +notes = [ + "Tracks file creations and modifications in PolicyKit-related directories such as `/etc/polkit-1/rules.d/`, `/usr/share/polkit-1/rules.d/`, `/usr/share/polkit-1/actions/`, and others to detect unauthorized additions or tampering.", + "Retrieves metadata for PolicyKit configuration files, including ownership, last access times, and modification timestamps, to identify unauthorized or suspicious changes.", + "Focuses on recent file modifications within the last 7 days to provide timely detection of potential malicious activities.", + "Helps detect rare or anomalous file modifications by correlating process execution with file activities, enabling analysts to identify subtle signs of compromise." +] +mitre = ["T1543"] +query = [ +'''sql +from logs-endpoint.events.file-* +| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type in ("creation", "change") and ( + file.path like "/etc/polkit-1/rules.d/*" or + file.path like "/usr/share/polkit-1/rules.d/*" or + file.path like "/usr/share/polkit-1/actions/*" or + file.path like "/etc/polkit-1/localauthority/*" or + file.path like "/var/lib/polkit-1/localauthority/*" +) and not ( + file.extension in ("swp", "dpkg-new") or + process.name in ("dnf", "yum", "dpkg") +) +| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable +| where agent_count <= 3 +| sort cc asc +| limit 100 +''', +'''sql +SELECT + f.filename, + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f +LEFT JOIN + users u ON f.uid = u.uid +LEFT JOIN + groups g ON f.gid = g.gid +WHERE ( + f.path = '/etc/polkit-1/rules.d/%' + OR f.path LIKE '/usr/share/polkit-1/rules.d/%' + OR f.path LIKE '/usr/share/polkit-1/actions/%' + OR f.path LIKE '/etc/polkit-1/localauthority/%%' + OR f.path LIKE '/var/lib/polkit-1/localauthority/%%' + ) +AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days +''' +] From 802419178c0b92f6764de0114e68ecee8515dfb0 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Wed, 5 Feb 2025 16:45:17 +0100 Subject: [PATCH 4/7] [New Hunt] Persistence via Desktop Bus (D-Bus) (#4407) --- hunting/index.md | 1 + hunting/index.yml | 5 + .../linux/docs/persistence_via_desktop_bus.md | 95 +++++++++++++++++++ .../queries/persistence_via_desktop_bus.toml | 78 +++++++++++++++ 4 files changed, 179 insertions(+) create mode 100644 hunting/linux/docs/persistence_via_desktop_bus.md create mode 100644 hunting/linux/queries/persistence_via_desktop_bus.toml diff --git a/hunting/index.md b/hunting/index.md index a8a22763c08..e35334f16d7 100644 --- a/hunting/index.md +++ b/hunting/index.md @@ -43,6 +43,7 @@ Here are the queries currently available: - [Persistence Through Reverse/Bind Shells](./linux/docs/persistence_reverse_bind_shells.md) (ES|QL) - [Persistence via Cron](./linux/docs/persistence_via_cron.md) (ES|QL) - [Persistence via DPKG/RPM Package](./linux/docs/persistence_via_rpm_dpkg_installer_packages.md) (ES|QL) +- [Persistence via Desktop Bus (D-Bus)](./linux/docs/persistence_via_desktop_bus.md) (ES|QL) - [Persistence via Docker Container](./linux/docs/persistence_via_malicious_docker_container.md) (ES|QL) - [Persistence via Dynamic Linker Hijacking](./linux/docs/persistence_via_dynamic_linker_hijacking.md) (ES|QL) - [Persistence via GRUB Bootloader](./linux/docs/persistence_via_grub_bootloader.md) (ES|QL) diff --git a/hunting/index.yml b/hunting/index.yml index 20430336e6a..dffb81079cb 100644 --- a/hunting/index.yml +++ b/hunting/index.yml @@ -250,6 +250,11 @@ linux: path: ./linux/queries/persistence_via_malicious_docker_container.toml mitre: - T1610 + 2223bbda-b931-4f33-aeb4-0e0732a370dd: + name: Persistence via Desktop Bus (D-Bus) + path: ./linux/queries/persistence_via_desktop_bus.toml + mitre: + - T1543 4e8a17d3-9139-4b45-86d5-79e8d1eba71e: name: Persistence via PolicyKit path: ./linux/queries/persistence_via_policykit.toml diff --git a/hunting/linux/docs/persistence_via_desktop_bus.md b/hunting/linux/docs/persistence_via_desktop_bus.md new file mode 100644 index 00000000000..f17b0815726 --- /dev/null +++ b/hunting/linux/docs/persistence_via_desktop_bus.md @@ -0,0 +1,95 @@ +# Persistence via Desktop Bus (D-Bus) + +--- + +## Metadata + +- **Author:** Elastic +- **Description:** This hunt identifies potential persistence mechanisms leveraging the Desktop Bus (D-Bus) system on Linux. D-Bus is an inter-process communication (IPC) system that facilitates communication between various system components and applications. Attackers can exploit D-Bus by creating or modifying services, configuration files, or system policies to maintain persistence or execute unauthorized actions. This hunt monitors suspicious process activity related to D-Bus, tracks changes to key D-Bus configuration and service files, and retrieves metadata for further analysis. The approach helps analysts identify and respond to persistence techniques targeting D-Bus. + +- **UUID:** `2223bbda-b931-4f33-aeb4-0e0732a370dd` +- **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) +- **Language:** `[ES|QL, SQL]` +- **Source File:** [Persistence via Desktop Bus (D-Bus)](../queries/persistence_via_desktop_bus.toml) + +## Query + +```sql +sql +from logs-endpoint.events.process-* +| keep @timestamp, host.os.type, event.type, event.action, process.name, process.parent.name, process.command_line, process.executable, process.parent.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.parent.name == "dbus-daemon" or process.name == "dbus-send" +) +| stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.executable, process.parent.executable +| where agent_count <= 3 and cc < 15 +| sort cc asc +| limit 100 +``` + +```sql +sql +from logs-endpoint.events.file-* +| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type in ("creation", "change") and ( + file.path like "/usr/share/dbus-1/*" or + file.path like "/usr/local/share/dbus-1/*" or + file.path like "/etc/dbus-1/*" or + file.path like "/home/*/.local/share/dbus-1/*" +) and not ( + file.extension in ("swp", "dpkg-new") or + process.name in ("dnf", "yum", "dpkg") +) +| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable +| where agent_count <= 3 +| sort cc asc +| limit 100 +``` + +```sql +sql +SELECT + f.filename, + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f +LEFT JOIN + users u ON f.uid = u.uid +LEFT JOIN + groups g ON f.gid = g.gid +WHERE ( + f.path LIKE '/usr/share/dbus-1/system-services/%' + OR f.path LIKE '/usr/local/share/dbus-1/system-services/%' + OR f.path LIKE '/etc/dbus-1/system.d/%' + OR f.path LIKE '/usr/share/dbus-1/system.d/%' + OR f.path LIKE '/usr/share/dbus-1/session-services/%' + OR f.path LIKE '/home/%/.local/share/dbus-1/services/%' + OR f.path LIKE '/etc/dbus-1/session.d/%' + OR f.path LIKE '/usr/share/dbus-1/session.d/%' + ) +AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days +``` + +## Notes + +- Monitors processes related to D-Bus, such as `dbus-daemon` and `dbus-send`, to identify unauthorized or anomalous executions indicative of persistence or abuse. +- Tracks creations and modifications to critical D-Bus directories, including `/usr/share/dbus-1/`, `/usr/local/share/dbus-1/`, `/etc/dbus-1/`, and `~/.local/share/dbus-1/`, which may indicate malicious activity. +- Retrieves metadata for D-Bus service and configuration files, such as file ownership, access times, and modification timestamps, to detect unauthorized changes. +- Focuses on recent changes within the last 7 days to identify timely indicators of compromise while maintaining historical context for analysis. + +## MITRE ATT&CK Techniques + +- [T1543](https://attack.mitre.org/techniques/T1543) + +## License + +- `Elastic License v2` diff --git a/hunting/linux/queries/persistence_via_desktop_bus.toml b/hunting/linux/queries/persistence_via_desktop_bus.toml new file mode 100644 index 00000000000..ea5157340dd --- /dev/null +++ b/hunting/linux/queries/persistence_via_desktop_bus.toml @@ -0,0 +1,78 @@ +[hunt] +author = "Elastic" +description = """ +This hunt identifies potential persistence mechanisms leveraging the Desktop Bus (D-Bus) system on Linux. D-Bus is an inter-process communication (IPC) system that facilitates communication between various system components and applications. Attackers can exploit D-Bus by creating or modifying services, configuration files, or system policies to maintain persistence or execute unauthorized actions. This hunt monitors suspicious process activity related to D-Bus, tracks changes to key D-Bus configuration and service files, and retrieves metadata for further analysis. The approach helps analysts identify and respond to persistence techniques targeting D-Bus. +""" +integration = ["endpoint"] +uuid = "2223bbda-b931-4f33-aeb4-0e0732a370dd" +name = "Persistence via Desktop Bus (D-Bus)" +language = ["ES|QL", "SQL"] +license = "Elastic License v2" +notes = [ + "Monitors processes related to D-Bus, such as `dbus-daemon` and `dbus-send`, to identify unauthorized or anomalous executions indicative of persistence or abuse.", + "Tracks creations and modifications to critical D-Bus directories, including `/usr/share/dbus-1/`, `/usr/local/share/dbus-1/`, `/etc/dbus-1/`, and `~/.local/share/dbus-1/`, which may indicate malicious activity.", + "Retrieves metadata for D-Bus service and configuration files, such as file ownership, access times, and modification timestamps, to detect unauthorized changes.", + "Focuses on recent changes within the last 7 days to identify timely indicators of compromise while maintaining historical context for analysis." +] +mitre = ["T1543"] +query = [ +'''sql +from logs-endpoint.events.process-* +| keep @timestamp, host.os.type, event.type, event.action, process.name, process.parent.name, process.command_line, process.executable, process.parent.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( + process.parent.name == "dbus-daemon" or process.name == "dbus-send" +) +| stats cc = count(), agent_count = count_distinct(agent.id) by process.command_line, process.executable, process.parent.executable +| where agent_count <= 3 and cc < 15 +| sort cc asc +| limit 100 +''', +'''sql +from logs-endpoint.events.file-* +| keep @timestamp, host.os.type, event.type, event.action, file.path, file.extension, process.name, process.executable, agent.id +| where @timestamp > now() - 30 day +| where host.os.type == "linux" and event.type in ("creation", "change") and ( + file.path like "/usr/share/dbus-1/*" or + file.path like "/usr/local/share/dbus-1/*" or + file.path like "/etc/dbus-1/*" or + file.path like "/home/*/.local/share/dbus-1/*" +) and not ( + file.extension in ("swp", "dpkg-new") or + process.name in ("dnf", "yum", "dpkg") +) +| stats cc = count(), agent_count = count_distinct(agent.id) by file.path, process.executable +| where agent_count <= 3 +| sort cc asc +| limit 100 +''', +'''sql +SELECT + f.filename, + f.path, + u.username AS file_owner, + g.groupname AS group_owner, + datetime(f.atime, 'unixepoch') AS file_last_access_time, + datetime(f.mtime, 'unixepoch') AS file_last_modified_time, + datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, + datetime(f.btime, 'unixepoch') AS file_created_time, + f.size AS size_bytes +FROM + file f +LEFT JOIN + users u ON f.uid = u.uid +LEFT JOIN + groups g ON f.gid = g.gid +WHERE ( + f.path LIKE '/usr/share/dbus-1/system-services/%' + OR f.path LIKE '/usr/local/share/dbus-1/system-services/%' + OR f.path LIKE '/etc/dbus-1/system.d/%' + OR f.path LIKE '/usr/share/dbus-1/system.d/%' + OR f.path LIKE '/usr/share/dbus-1/session-services/%' + OR f.path LIKE '/home/%/.local/share/dbus-1/services/%' + OR f.path LIKE '/etc/dbus-1/session.d/%' + OR f.path LIKE '/usr/share/dbus-1/session.d/%' + ) +AND (mtime > strftime('%s', 'now') - (7 * 86400)); -- Modified in the last 7 days +''' +] From 3e0ba33749657f2a4b042f468146563971ad914c Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 5 Feb 2025 14:51:47 -0300 Subject: [PATCH 5/7] [Rule Tuning] Remote Execution via File Shares (#4448) --- ...ateral_movement_execution_via_file_shares_sequence.toml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index 91c3bc7480e..b92e8e796b4 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2025/02/05" [transform] [[transform.osquery]] @@ -116,7 +116,8 @@ sequence with maxspan=1m /* Veeam related processes */ ( process.name : ( - "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", "Veeam.VSS.Sharepoint20??.exe" + "VeeamGuestHelper.exe", "VeeamGuestIndexer.exe", "VeeamAgent.exe", "VeeamLogShipper.exe", + "Veeam.VSS.Sharepoint20??.exe", "OracleProxy.exe", "Veeam.SQL.Service", "VeeamDeploymentSvc.exe" ) and process.code_signature.trusted == true and process.code_signature.subject_name : "Veeam Software Group GmbH" ) or /* PDQ related processes */ @@ -128,7 +129,7 @@ sequence with maxspan=1m ) or /* CrowdStrike related processes */ ( - (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-WindowsSensor.*.exe" and + (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*Sensor*.exe" and process.code_signature.trusted == true and process.code_signature.subject_name : "CrowdStrike, Inc.") or (process.executable : "?:\\Windows\\System32\\drivers\\CrowdStrike\\*-CsInstallerService.exe" and process.code_signature.trusted == true and process.code_signature.subject_name : "Microsoft Windows Hardware Compatibility Publisher") From ab89dfb98dbac3c465925002084ac552bbfce8fa Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 5 Feb 2025 15:09:27 -0300 Subject: [PATCH 6/7] [Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447) --- rules/macos/credential_access_credentials_keychains.toml | 4 ++-- rules/macos/credential_access_dumping_keychain_security.toml | 4 ++-- ...credential_access_keychain_pwd_retrieval_security_cmd.toml | 4 ++-- .../macos/credential_access_promt_for_pwd_via_osascript.toml | 4 ++-- .../macos/defense_evasion_attempt_del_quarantine_attrib.toml | 4 ++-- ...se_evasion_privacy_controls_tcc_database_modification.toml | 4 ++-- ...privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml | 4 ++-- rules/macos/discovery_users_domain_built_in_commands.toml | 4 ++-- ...execution_initial_access_suspicious_browser_childproc.toml | 4 ++-- .../execution_installer_package_spawned_network_event.toml | 4 ++-- rules/macos/execution_script_via_automator_workflows.toml | 4 ++-- ...execution_scripting_osascript_exec_followed_by_netcon.toml | 4 ++-- .../macos/execution_shell_execution_via_apple_scripting.toml | 4 ++-- ...initial_access_suspicious_mac_ms_office_child_process.toml | 4 ++-- rules/macos/lateral_movement_mounting_smb_share.toml | 4 ++-- rules/macos/lateral_movement_vpn_connection_attempt.toml | 4 ++-- .../macos/persistence_creation_change_launch_agents_file.toml | 4 ++-- .../persistence_creation_hidden_login_item_osascript.toml | 4 ++-- .../persistence_creation_modif_launch_deamon_sequence.toml | 4 ++-- rules/macos/persistence_crontab_creation.toml | 4 ++-- rules/macos/persistence_emond_rules_file_creation.toml | 4 ++-- rules/macos/persistence_emond_rules_process_execution.toml | 4 ++-- ...rsistence_evasion_hidden_launch_agent_deamon_creation.toml | 4 ++-- rules/macos/persistence_finder_sync_plugin_pluginkit.toml | 4 ++-- rules/macos/persistence_folder_action_scripts_runtime.toml | 4 ++-- rules/macos/persistence_login_logout_hooks_defaults.toml | 4 ++-- ...persistence_modification_sublime_app_plugin_or_script.toml | 4 ++-- ...rsistence_screensaver_engine_unexpected_child_process.toml | 4 ++-- .../persistence_screensaver_plist_file_modification.toml | 4 ++-- .../privilege_escalation_applescript_with_admin_privs.toml | 4 ++-- 30 files changed, 60 insertions(+), 60 deletions(-) diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 7f1d21e3c5e..2a010357f8d 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ for macOS to keep track of users' passwords and credentials for many services an websites, secure notes and certificates. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Access to Keychain Credentials Directories" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index f71916bbd2d..259dd41b876 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ built-in way for macOS to keep track of users' passwords and credentials for man and website passwords, secure notes, certificates, and Kerberos. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 37117d8c8e9..47ebc3c38d8 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ and website passwords, secure notes, certificates, and Kerberos. """ false_positives = ["Applications for password management."] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Keychain Password Retrieval via Command Line" diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 5b5f2466758..3d592185e5f 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the use of osascript to execute scripts via standard input that may p credentials. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Prompt for Credentials with OSASCRIPT" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 210c474844a..b416eec0b08 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ downloaded from the internet, there is a quarantine flag set on the file. This a defense program at execution time. An adversary may disable this attribute to evade defenses. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Quarantine Attrib Removed by Unsigned or Untrusted Process" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 8539f058613..8740060cc08 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ indicate an attempt to bypass macOS privacy controls, including access to sensit microphone, address book, and calendar. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privacy Control Bypass via TCCDB Modification" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index bb618f17925..4a3df5e3284 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Daemon (sshd) to the authorized application list for Full Disk Access. This may privacy controls to access sensitive files. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privacy Control Bypass via Localhost Secure Copy" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 19802d35071..8d76cbe2dfa 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands related to account or group and group information to orient themselves before deciding how to act. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Users or Groups via Built-in Commands" diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 1437bb7f2df..ca94c195863 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ visiting a website over the normal course of browsing. With this technique, the for exploitation. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Browser Child Process" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index dee99e1096a..83a0df22059 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "MacOS Installer Package Spawns Network Event" diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index c9869178b13..675b7dbaba9 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Adversaries may drop a custom workflow template that hosts malicious JavaScript alternative to using osascript. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Automator Workflows Execution" diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index e72db635aea..14e1b37d267 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Detects execution via the Apple script interpreter (osascript) followed by a net within a short time period. Adversaries may use malicious scripts for execution and command and control. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Apple Script Execution followed by Network Connection" diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index d6e2ca8bf40..28baaa593d1 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of the shell process (sh) via scripting (JXA or AppleSc doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Shell Execution via Apple Scripting" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 6a9c0878f71..b89f017f619 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Excel). These child processes are often launched during exploitation of Office a malicious macros. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious macOS MS Office Child Process" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 4983f63fac6..3ca77d2ef7d 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands to mount a Server Message Bl use valid accounts to interact with a remote network share using SMB. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Attempt to Mount SMB Share via Command Line" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 0164501a68f..abec7fd2e96 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands to connect to an existing Vi may use VPN connections to laterally move and control remote systems on a network. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Virtual Private Network Connection Attempt" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index cf36c7e9509..95a1ec36858 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ launchctl to load a plist into the appropriate directories. """ false_positives = ["Trusted applications persisting via LaunchAgent"] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Launch Agent Creation or Modification and Immediate Loading" diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 99dfa038c1b..f050aa7564e 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of osascript to create a hidden login item. This may in program while concealing its presence. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Creation of Hidden Login Item via Apple Script" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 984c15a420d..db8e0e5858a 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ payloads as part of persistence. """ false_positives = ["Trusted applications persisting via LaunchDaemons"] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "LaunchDaemon Creation or Modification and Immediate Loading" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index be9c600a8cf..33d1ab6029d 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies attempts to create or modify a crontab via a process that is not cron activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Suspicious CronTab Creation or Modification" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index b69497f05d8..00185213a69 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the creation or modification of the Event Monitor Daemon (emond) rule writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Emond Rules Creation or Modification" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 431b82614d7..71e41889d14 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ service by writing a rule to execute commands when a defined event occurs, such authentication. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Emond Child Process" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index a2c0c6bbf8c..bb77e430248 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the creation of a hidden launch agent or daemon. An adversary may est launch agent or daemon which executes at login. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Creation of Hidden Launch Agent or Daemon" diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 2fd1b692b07..0fc179859b6 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ this feature by adding a rogue Finder Plugin to repeatedly execute malicious pay """ false_positives = ["Trusted Finder Sync Plugins"] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Finder Sync Plugin Registered and Enabled" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 6dbc162a9fc..6ad77bc7a92 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attached has items added or removed, or when its window is opened, closed, moved feature to establish persistence by utilizing a malicious script. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Persistence via Folder Action Script" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index f64afd9982d..40020db35c3 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies use of the Defaults command to install a login or logoff hook in MacO capability to establish persistence in an environment by inserting code to be executed at login or logout. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Persistence via Login or Logout Hook" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index afa5fd22d3d..f1a8df2a905 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Adversaries may create or modify the Sublime application plugins or scripts to e Sublime application is started. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Sublime Plugin or Application Script Modification" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 6ce6ddb897a..0ce7bd9a7d6 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ on a macOS endpoint by creating a malicious screensaver (.saver) file and config execute code each time the screensaver is activated. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unexpected Child Process of macOS Screensaver Engine" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 006ce9366c3..294e05f5e8b 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ a macOS endpoint by creating a malicious screensaver (.saver) file and configuri code each time the screensaver is activated. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Screensaver Plist File Modified by Unexpected Process" diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 3eea339272e..ba8ccc67453 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies execution of the Apple script interpreter (osascript) without a passw privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Apple Scripting Execution with Administrator Privileges" From f5065217d1e202e0a9d794d87438227e30dc88db Mon Sep 17 00:00:00 2001 From: Ian Date: Wed, 5 Feb 2025 13:25:18 -0500 Subject: [PATCH 7/7] tags (#4) Co-authored-by: peterydzynski --- rules/windows/execution_suspicious_powershell_imgload.toml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 9a59c84b8db..f9fb41ad7ad 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -69,6 +69,8 @@ tags = [ "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Defend", + "vigilant.exception.list.appplication", + "vigilant.exception.list.tenant", ] timestamp_override = "event.ingested" type = "new_terms"