WebProxy Settings Modification

calendar Sep 5, 2023 · Domain: Endpoint OS: macOS Use Case: Threat Detection Tactic: Credential Access Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/05"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to
13hijack web browser traffic for credential access via traffic sniffing or redirection.
14"""
15false_positives = ["Legitimate WebProxy Settings Modification"]
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "WebProxy Settings Modification"
21references = [
22    "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
23    "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf",
24]
25risk_score = 47
26rule_id = "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33event.category:process and host.os.type:macos and event.type:start and
34 process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and
35 not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or
36                                  "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or
37                                  "/usr/libexec/xpcproxy")
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1539"
45name = "Steal Web Session Cookie"
46reference = "https://attack.mitre.org/techniques/T1539/"
47
48
49[rule.threat.tactic]
50id = "TA0006"
51name = "Credential Access"
52reference = "https://attack.mitre.org/tactics/TA0006/"

References

  • Mac Malware Steals Cryptocurrency Exchanges’ Cookies

    Palo Alto Networks’ Unit 42 recently discovered malware that we believe has been developed from OSX.DarthMiner, a malware known to target the Mac platform.This malware is capable of stealing browser cookies associated with mainstream cryptocurrency exchanges and wallet service websites visited by the victims.It also steals saved passwords in Chrome.Finally, it seeks to steal iPhone text messages from iTunes backups on the tethered Mac.By leveraging the combination of stolen login credentials, web cookies, and SMS data, based on past attacks like this, we believe the bad actors could bypass multi-factor authentication for these sites.


    Read More

  • DŸéž¦+]½n9iáTº®Â¡å7LÚ™Q}tÈí¶c¾ÚéÚŠòAj‚? .Û?fÑt\˜Nô2V¶)Þºm«a._„s€¡¡îB²­=Ý™‡°ï­{Ý)þwÔœæŸ:v îBâAÌ„¡ûòÎl «\Ö–o%¤wnüª¥¡ÑÛøéiiä‚¢œgþ{ {2ãŸZëm¶¸…»èˆÚŸtï+µ°nÇ�¥òÿ´Sù ÀÝ©FÒ X·»é¹q£Ñ?‘xfs«{çÔ2U§...


    Read More

Related rules

to-top