From f8f895704536db4bbd2de6a5009f21f4407a0927 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 12 Jan 2021 22:07:30 +0100 Subject: [PATCH 01/11] [New Rule] Enumeration of Users or Groups using Built-In Commands --- ...covery_users_domain_built_in_commands.toml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 rules/macos/discovery_users_domain_built_in_commands.toml diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml new file mode 100644 index 00000000000..4a13590c2ff --- /dev/null +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -0,0 +1,46 @@ +[metadata] +creation_date = "2021/01/12" +maturity = "production" +updated_date = "2021/01/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies the execution of macOS built-in command related to accounts or groups enumeration. +""" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Enumeration of Users or Groups using Built-In Commands" +risk_score = 21 +rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" +severity = "low" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Discovery"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and + (process.name in ("ldapsearch", "dsmemberutil")) or + (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls") and process.args:("Active Directory/*", "/Users*", "/Groups*")) + +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1069" +name = "Permission Groups Discovery" +reference = "https://attack.mitre.org/techniques/T1069/" + +[[rule.threat.technique]] +id = "T1087" +name = "Account Discovery" +reference = "https://attack.mitre.org/techniques/T1087/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" + From 2bfcf9a2e9cdbeba1e297513245447c9615283bf Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 12 Jan 2021 22:10:48 +0100 Subject: [PATCH 02/11] Update discovery_users_domain_built_in_commands.toml --- rules/macos/discovery_users_domain_built_in_commands.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 4a13590c2ff..4892e4169c5 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -21,7 +21,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and (process.name in ("ldapsearch", "dsmemberutil")) or - (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls") and process.args:("Active Directory/*", "/Users*", "/Groups*")) + (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls") and process.args:("/Active Directory/*", "/Users*", "/Groups*")) ''' From 857fbd504dbb5718f883ee668f46d7f9d1aae869 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 13 Jan 2021 15:32:37 +0100 Subject: [PATCH 03/11] added search option --- rules/macos/discovery_users_domain_built_in_commands.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 4892e4169c5..d2d03a1b9e6 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -21,7 +21,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and (process.name in ("ldapsearch", "dsmemberutil")) or - (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls") and process.args:("/Active Directory/*", "/Users*", "/Groups*")) + (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls", "search", "-search") and process.args:("/Active Directory/*", "/Users*", "/Groups*")) ''' From 6e80976c83eecba9a1d8965834991a188fede5fc Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 21 Jan 2021 00:25:19 +0100 Subject: [PATCH 04/11] excluded some noisy processes --- rules/macos/discovery_users_domain_built_in_commands.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index d2d03a1b9e6..946447b3081 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -20,8 +20,10 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and + not process.parent.executable in ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and (process.name in ("ldapsearch", "dsmemberutil")) or - (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls", "search", "-search") and process.args:("/Active Directory/*", "/Users*", "/Groups*")) + (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args:("/Active Directory/*" and, "/Users*", "/Groups*")) ''' From d47d8521a784ed5e01ee00c0e64366d8ae75d6f7 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 21 Jan 2021 00:41:46 +0100 Subject: [PATCH 05/11] Update discovery_users_domain_built_in_commands.toml --- rules/macos/discovery_users_domain_built_in_commands.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 946447b3081..182744610ed 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -23,7 +23,7 @@ process where event.type in ("start", "process_started") and not process.parent.executable in ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and (process.name in ("ldapsearch", "dsmemberutil")) or (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls", "search", "-search") and - process.args:("/Active Directory/*" and, "/Users*", "/Groups*")) + process.args:("/Active Directory/*", "/Users*", "/Groups*")) ''' From 92eb1aea49a1e06a49b9a27702f3b5595ee1ee77 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 2 Feb 2021 21:41:27 +0100 Subject: [PATCH 06/11] Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- .../discovery_users_domain_built_in_commands.toml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 182744610ed..528dcd0e2bd 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -20,10 +20,11 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - not process.parent.executable in ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and - (process.name in ("ldapsearch", "dsmemberutil")) or - (process.name == "dscl" and process.args:("read", "-read", "list", "-list", "ls", "search", "-search") and - process.args:("/Active Directory/*", "/Users*", "/Groups*")) + not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", + "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and + (process.name : ("ldapsearch", "dsmemberutil")) or + (process.name : "dscl" and process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) ''' @@ -45,4 +46,3 @@ reference = "https://attack.mitre.org/techniques/T1087/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" - From 84fbf85765c52bbfaed0a10bcfe36b10d122165c Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 2 Feb 2021 21:41:34 +0100 Subject: [PATCH 07/11] Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- rules/macos/discovery_users_domain_built_in_commands.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 528dcd0e2bd..25039d7c9d1 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -11,7 +11,7 @@ Identifies the execution of macOS built-in command related to accounts or groups index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License" -name = "Enumeration of Users or Groups using Built-In Commands" +name = "Enumeration of Users or Groups via Built-in Commands" risk_score = 21 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" severity = "low" From 2aa617a6d9cd0e0fc37708a4895fd38e17ee5b63 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 2 Feb 2021 21:41:41 +0100 Subject: [PATCH 08/11] Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- rules/macos/discovery_users_domain_built_in_commands.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 25039d7c9d1..76c44e5b03a 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -6,7 +6,7 @@ updated_date = "2021/01/12" [rule] author = ["Elastic"] description = """ -Identifies the execution of macOS built-in command related to accounts or groups enumeration. +Identifies the execution of macOS built-in commands related to account or group enumeration. """ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" From a020855ebe7c7b2e4006703224f0a0ec92ce66dd Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 8 Feb 2021 23:14:36 +0100 Subject: [PATCH 09/11] Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra --- rules/macos/discovery_users_domain_built_in_commands.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 76c44e5b03a..9df55c3338c 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -8,6 +8,7 @@ author = ["Elastic"] description = """ Identifies the execution of macOS built-in commands related to account or group enumeration. """ +from = "now-9m" index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License" From b69fad9d5dba4c5e1cc2de1b00504041890fca9a Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 8 Feb 2021 23:14:44 +0100 Subject: [PATCH 10/11] Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra --- rules/macos/discovery_users_domain_built_in_commands.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 9df55c3338c..0122d0f73bb 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -23,7 +23,7 @@ query = ''' process where event.type in ("start", "process_started") and not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and - (process.name : ("ldapsearch", "dsmemberutil")) or + process.name : ("ldapsearch", "dsmemberutil") or (process.name : "dscl" and process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) From 9b82591d6c2df9d5bdd5d0a7f22830a309055992 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 8 Feb 2021 23:14:56 +0100 Subject: [PATCH 11/11] Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra --- rules/macos/discovery_users_domain_built_in_commands.toml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 0122d0f73bb..f2b9bf89c3e 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -24,8 +24,9 @@ process where event.type in ("start", "process_started") and not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence") and process.name : ("ldapsearch", "dsmemberutil") or - (process.name : "dscl" and process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and - process.args : ("/Active Directory/*", "/Users*", "/Groups*")) + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + process.args : ("/Active Directory/*", "/Users*", "/Groups*")) '''