From 2fee4d9605a579c63d3f65acc3d5e9b6a5e9fb98 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 25 Jan 2021 14:02:30 +0100 Subject: [PATCH 1/4] [New Rule] Virtual Private Network Connection Attempt --- ...teral_movement_vpn_connection_attempt.toml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/macos/lateral_movement_vpn_connection_attempt.toml diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml new file mode 100644 index 00000000000..11e607f2487 --- /dev/null +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2020/01/25" +maturity = "production" +updated_date = "2020/01/25" + +[rule] +author = ["Elastic"] +description = "Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN)." +from = "now-9m" +index = ["auditbeat-*", "logs-endpoint.events.*"] +language = "eql" +license = "Elastic License" +name = "Virtual Private Network Connection Attempt" +references = [ + "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb", + "https://www.unix.com/man-page/osx/8/networksetup/", + "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx", +] +risk_score = 21 +rule_id = "15dacaa0-5b90-466b-acab-63435a59701a" +severity = "low" +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"] +type = "eql" + +query = ''' +process where event.type in ("start", "process_started") and + ( + (process.name == "networksetup" and process.args == "-connectpppoeservice") or + (process.name == "scutil" and process.args:"--nc" and process.args:"start") or + (process.name == "osascript" and process.command_line:"osascript*set VPN to service*") + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" + From c48ad674fd8834b8fdacc749d716fb9b29d5dcb1 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Mon, 25 Jan 2021 14:12:59 +0100 Subject: [PATCH 2/4] fixed tactic_id --- rules/macos/lateral_movement_vpn_connection_attempt.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 11e607f2487..d7b46d284a3 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -41,7 +41,7 @@ reference = "https://attack.mitre.org/techniques/T1021/" [rule.threat.tactic] -id = "TA0006" +id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" From a8b0c1ff26a78a836d1b043d1fc797aebfc5330b Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 26 Jan 2021 09:47:41 +0100 Subject: [PATCH 3/4] Update lateral_movement_vpn_connection_attempt.toml --- rules/macos/lateral_movement_vpn_connection_attempt.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index d7b46d284a3..e2afa9056f9 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -25,9 +25,9 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and ( - (process.name == "networksetup" and process.args == "-connectpppoeservice") or - (process.name == "scutil" and process.args:"--nc" and process.args:"start") or - (process.name == "osascript" and process.command_line:"osascript*set VPN to service*") + (process.name:"networksetup" and process.args:"-connectpppoeservice") or + (process.name:"scutil" and process.args:"--nc" and process.args:"start") or + (process.name:"osascript" and process.command_line:"osascript*set VPN to service*") ) ''' From 9076f9295c035d3db1fdecf9220e1440e6f2117d Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Tue, 2 Feb 2021 16:27:24 +0100 Subject: [PATCH 4/4] Update rules/macos/lateral_movement_vpn_connection_attempt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> --- .../lateral_movement_vpn_connection_attempt.toml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index e2afa9056f9..11798c04283 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -24,11 +24,11 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - ( - (process.name:"networksetup" and process.args:"-connectpppoeservice") or - (process.name:"scutil" and process.args:"--nc" and process.args:"start") or - (process.name:"osascript" and process.command_line:"osascript*set VPN to service*") - ) + ( + (process.name : "networksetup" and process.args : "-connectpppoeservice") or + (process.name : "scutil" and process.args : "--nc" and process.args : "start") or + (process.name : "osascript" and process.command_line : "osascript*set VPN to service*") + ) ''' @@ -44,4 +44,3 @@ reference = "https://attack.mitre.org/techniques/T1021/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" -