Dumping Account Hashes via Built-In Commands

  1[metadata]
  2creation_date = "2021/01/25"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump
 11credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for
 12lateral movement.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Dumping Account Hashes via Built-In Commands"
 19references = [
 20    "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
 21    "https://www.unix.com/man-page/osx/8/mkpassdb/",
 22]
 23risk_score = 73
 24rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3"
 25setup = """## Setup
 26
 27This rule requires data coming in from Elastic Defend.
 28
 29### Elastic Defend Integration Setup
 30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49"""
 50severity = "high"
 51tags = [
 52    "Domain: Endpoint",
 53    "OS: macOS",
 54    "Use Case: Threat Detection",
 55    "Tactic: Credential Access",
 56    "Data Source: Elastic Defend",
 57    "Resources: Investigation Guide",
 58]
 59timestamp_override = "event.ingested"
 60type = "query"
 61
 62query = '''
 63event.category:process and host.os.type:macos and event.type:start and
 64 process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or "-dump")
 65'''
 66note = """## Triage and analysis
 67
 68> **Disclaimer**:
 69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 70
 71### Investigating Dumping Account Hashes via Built-In Commands
 72
 73In macOS environments, built-in commands like `defaults` and `mkpassdb` can be exploited by adversaries to extract user account hashes, which are crucial for credential access. These hashes, once obtained, can be cracked to reveal passwords or used for lateral movement within a network. The detection rule identifies suspicious process executions involving these commands and specific arguments, signaling potential credential dumping activities.
 74
 75### Possible investigation steps
 76
 77- Review the process execution details to confirm the presence of the `defaults` or `mkpassdb` commands with arguments like `ShadowHashData` or `-dump`, as these are indicative of credential dumping attempts.
 78- Identify the user account associated with the process execution to determine if the activity aligns with expected behavior for that user or if it appears suspicious.
 79- Check the historical activity of the involved user account and the host to identify any patterns or anomalies that could suggest unauthorized access or lateral movement.
 80- Investigate any network connections or subsequent processes initiated by the suspicious process to assess potential data exfiltration or further malicious actions.
 81- Correlate the event with other security alerts or logs from the same host or user account to build a comprehensive timeline of the activity and assess the scope of the potential compromise.
 82
 83### False positive analysis
 84
 85- System administrators or security tools may legitimately use the `defaults` or `mkpassdb` commands for system maintenance or auditing purposes. To manage these, create exceptions for known administrative accounts or tools that regularly execute these commands.
 86- Automated scripts or management software might invoke these commands as part of routine operations. Identify and whitelist these scripts or software to prevent unnecessary alerts.
 87- Developers or IT personnel might use these commands during testing or development phases. Establish a process to temporarily exclude these activities by setting up time-bound exceptions for specific user accounts or devices.
 88- Security assessments or penetration tests could trigger this rule. Coordinate with security teams to schedule and document these activities, allowing for temporary rule adjustments during the testing period.
 89
 90### Response and remediation
 91
 92- Immediately isolate the affected macOS system from the network to prevent further lateral movement or data exfiltration.
 93- Terminate any suspicious processes identified as using the `defaults` or `mkpassdb` commands with the specified arguments to halt ongoing credential dumping activities.
 94- Conduct a thorough review of user accounts on the affected system to identify any unauthorized access or changes, focusing on accounts with elevated privileges.
 95- Reset passwords for all potentially compromised accounts, especially those with administrative access, and enforce strong password policies.
 96- Analyze system logs and network traffic to identify any additional systems that may have been accessed using the compromised credentials, and apply similar containment measures.
 97- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
 98- Implement enhanced monitoring and alerting for similar suspicious activities across the network to detect and respond to future attempts promptly."""
 99
100
101[[rule.threat]]
102framework = "MITRE ATT&CK"
103[[rule.threat.technique]]
104id = "T1003"
105name = "OS Credential Dumping"
106reference = "https://attack.mitre.org/techniques/T1003/"
107
108
109[rule.threat.tactic]
110id = "TA0006"
111name = "Credential Access"
112reference = "https://attack.mitre.org/tactics/TA0006/"