/
macos___re_opened_applications.yml
63 lines (63 loc) · 2.63 KB
/
macos___re_opened_applications.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: MacOS - Re-opened Applications
id: 40bb64f9-f619-4e3d-8732-328d40377c4b
version: 1
date: '2020-02-07'
author: Jamie Windley, Splunk
status: experimental
type: TTP
description: This search looks for processes referencing the plist files that determine
which applications are re-opened when a user reboots their machine.
data_source: []
search: '| tstats `security_content_summariesonly` count values(Processes.process)
as process values(Processes.parent_process) as parent_process min(_time) as firstTime
max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*"
by Processes.user Processes.process_name Processes.parent_process_name Processes.dest
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `macos___re_opened_applications_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: At this stage, there are no known false positives. During testing,
no process events refering the com.apple.loginwindow.plist files were observed during
normal operation of re-opening applications on reboot. Therefore, it can be asumed
that any occurences of this in the process events would be worth investigating.
In the event that the legitimate modification by the system of these files is in
fact logged to the process log, then the process_name of that process can be added
to an allow list.
references: []
tags:
analytic_story:
- ColdRoot MacOS RAT
asset_type: Endpoint
confidence: 50
impact: 50
message: tbd
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.process
- Processes.parent_process
- Processes.user
- Processes.process_name
- Processes.parent_process_name
- Processes.dest
risk_score: 25
security_domain: threat