Skip to content

[New Rule] - MacOS Keychains compression #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Sep 29, 2020
Merged

[New Rule] - MacOS Keychains compression #136

Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
856a946
macOS Keychains compression
Samirbous Aug 14, 2020
b91f8d7
Update exfiltration_compress_credentials_keychains.toml
Samirbous Aug 15, 2020
053285a
Update exfiltration_compress_credentials_keychains.toml
Samirbous Aug 15, 2020
0a4ac09
Update exfiltration_compress_credentials_keychains.toml
Samirbous Aug 19, 2020
926787f
Update rules/macos/exfiltration_compress_credentials_keychains.toml
Samirbous Sep 4, 2020
02a791d
Update rules/macos/exfiltration_compress_credentials_keychains.toml
Samirbous Sep 4, 2020
35aba47
Update rules/macos/exfiltration_compress_credentials_keychains.toml
Samirbous Sep 4, 2020
1e8d31e
Update exfiltration_compress_credentials_keychains.toml
Samirbous Sep 9, 2020
a65bb6a
Merge branch 'main' into Keychain-Data-Exfiltration-Prep
Samirbous Sep 29, 2020
406c6c8
Merge branch 'main' into Keychain-Data-Exfiltration-Prep
Samirbous Sep 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions rules/macos/exfiltration_compress_credentials_keychains.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
[metadata]
creation_date = "2020/08/14"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/14"

[rule]
author = ["Elastic"]
description = """
Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way
for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords,
websites, secure notes, certificates, and Kerberos.
"""
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Compression of Keychain Credentials Directories"
references = ["https://objective-see.com/blog/blog_0x25.html"]
risk_score = 73
rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8"
severity = "high"
tags = ["Elastic", "MacOS"]
type = "query"

query = '''
event.category:process and event.type:(start or process_started) and
process.name:(zip or tar or gzip or 7za or hdiutil) and
process.args:("/Library/Keychains/" or "/Network/Library/Keychains/" or "~/Library/Keychains/")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1142"
name = "Keychain"
reference = "https://attack.mitre.org/techniques/T1142/"


[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"