Suspicious pbpaste High Volume Activity

  1[metadata]
  2creation_date = "2024/09/12"
  3integration = ["endpoint", "jamf_protect"]
  4maturity = "production"
  5min_stack_comments = "The jamf integration is available for stack versions 8.12 and above"
  6min_stack_version = "8.12.0"
  7updated_date = "2024/09/12"
  8
  9[transform]
 10[[transform.investigate]]
 11label = "Show events having the same responsible process"
 12providers = [
 13  [
 14    {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"},
 15    {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.group_leader.entity_id}}", valueType = "string"}
 16  ]
 17]
 18
 19[[transform.investigate]]
 20label = "Show events having the same parent process"
 21providers = [
 22  [
 23    {field = "host.hostname", excluded = false, queryType = "phrase", value = "{{host.hostname}}", valueType = "string"},
 24    {field = "process.entity_id", excluded = false, queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string"}
 25  ]
 26]
 27
 28[rule]
 29author = ["Thijs Xhaflaire"]
 30description = """
 31Identifies a high volume of `pbpaste` executions, which may indicate a bash loop continuously collecting clipboard contents, potentially allowing an attacker to harvest user credentials or other sensitive information.
 32"""
 33from = "now-9m"
 34index = ["logs-jamf_protect*", "logs-endpoint.events.process-*"]
 35language = "eql"
 36license = "Elastic License v2"
 37name = "Suspicious pbpaste High Volume Activity"
 38references = [
 39    "https://www.loobins.io/binaries/pbpaste/"
 40]
 41note = """## Triage and analysis
 42
 43To investigate `pbpaste` activity, focus on determining whether the binary is being used maliciously to collect clipboard data. Follow these steps:
 44
 45> **Note**:
 46> This investigation guide uses the [Investigate Markdown Plugin](https://www.elastic.co/guide/en/security/master/interactive-investigation-guides.html) introduced in Elastic Stack version 8.8.0. Older Elastic Stack versions will display unrendered Markdown in this guide.
 47
 481. **Identify Frequency and Pattern of Execution:**
 49   - **What to check:** Analyze the frequency and timing of `pbpaste` executions. Look for consistent intervals that might indicate a script or loop is running.
 50   - **Why:** A high volume of regular `pbpaste` executions could suggest a bash loop designed to continuously capture clipboard data.
 51
 522. **Examine Associated Scripts or Processes:**
 53   - **What to check:** Investigate the parent processes or scripts invoking `pbpaste`. Look for any cron jobs, bash scripts, or automated tasks linked to these executions.
 54   - **Why:** Understanding what is triggering `pbpaste` can help determine if this activity is legitimate or part of a malicious attempt to gather sensitive information.
 55   - $investigate_1
 56   - $investigate_2
 57
 583. **Review Clipboard Contents:**
 59   - **What to check:** If possible, capture and review the clipboard contents during `pbpaste` executions to identify if sensitive data, such as user credentials, is being targeted.
 60   - **Why:** Attackers may use `pbpaste` to harvest valuable information from the clipboard. Identifying the type of data being collected can indicate the severity of the threat.
 61
 624. **Check for Data Exfiltration:**
 63   - **What to check:** Investigate any output files or network activity associated with `pbpaste` usage. Look for signs that the collected data is being saved to a file, transmitted over the network, or sent to an external location.
 64   - **Why:** If data is being stored or transmitted, it may be part of an exfiltration attempt. Identifying this can help prevent sensitive information from being leaked.
 65
 665. **Correlate with User Activity:**
 67   - **What to check:** Compare the `pbpaste` activity with the user’s normal behavior and system usage patterns.
 68   - **Why:** If the `pbpaste` activity occurs during times when the user is not active, or if the user denies initiating such tasks, it could indicate unauthorized access or a compromised account.
 69
 70By thoroughly investigating these aspects of `pbpaste` activity, you can determine whether this is part of a legitimate process or a potential security threat that needs to be addressed.
 71"""
 72risk_score = 47
 73rule_id = "e29599ee-d6ad-46a9-9c6a-dc39f361890d"
 74setup = """## Setup
 75
 76This rule requires data coming in from Jamf Protect.
 77
 78### Jamf Protect Integration Setup
 79Jamf Protect is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events incoming events and send data to the Elastic.
 80
 81#### Prerequisite Requirements:
 82- Fleet is required for Jamf Protect.
 83- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 84
 85#### The following steps should be executed in order to add the Jamf Protect integration:
 86- Go to the Kibana home page and click "Add integrations".
 87- In the query bar, search for "Jamf Protect" and select the integration to see more details about it.
 88- Click "Add Jamf Protect".
 89- Configure the integration name.
 90- Click "Save and Continue".
 91"""
 92severity = "medium"
 93tags = [
 94    "Domain: Endpoint",
 95    "OS: macOS",
 96    "Use Case: Threat Detection",
 97    "Tactic: Credential Access",
 98    "Data Source: Jamf Protect",
 99    "Data Source: Elastic Defend"
100]
101timestamp_override = "event.ingested"
102type = "eql"
103
104query = '''
105sequence by host.hostname, host.id with maxspan=1m
106[process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and process.name: "pbpaste"] with runs = 5
107'''
108
109
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1056"
114name = "Input Capture"
115reference = "https://attack.mitre.org/techniques/T1056/"
116
117
118
119[rule.threat.tactic]
120id = "TA0006"
121name = "Credential Access"
122reference = "https://attack.mitre.org/tactics/TA0006/"