WebProxy Settings Modification
Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/05"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to
11hijack web browser traffic for credential access via traffic sniffing or redirection.
12"""
13false_positives = ["Legitimate WebProxy Settings Modification"]
14from = "now-9m"
15index = ["logs-endpoint.events.*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "WebProxy Settings Modification"
19references = [
20 "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/",
21 "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf",
22]
23risk_score = 47
24rule_id = "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f"
25setup = """## Setup
26
27This rule requires data coming in from Elastic Defend.
28
29### Elastic Defend Integration Setup
30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
31
32#### Prerequisite Requirements:
33- Fleet is required for Elastic Defend.
34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
35
36#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
37- Go to the Kibana home page and click "Add integrations".
38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
39- Click "Add Elastic Defend".
40- Configure the integration name and optionally add a description.
41- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
46- Click "Save and Continue".
47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
49"""
50severity = "medium"
51tags = [
52 "Domain: Endpoint",
53 "OS: macOS",
54 "Use Case: Threat Detection",
55 "Tactic: Credential Access",
56 "Data Source: Elastic Defend",
57 "Resources: Investigation Guide",
58]
59timestamp_override = "event.ingested"
60type = "query"
61
62query = '''
63event.category:process and host.os.type:macos and event.type:start and
64 process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and
65 not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or
66 "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or
67 "/usr/libexec/xpcproxy") and
68 not process.Ext.effective_parent.executable : ("/Applications/Proxyman.app/Contents/MacOS/Proxyman" or "/Applications/Incoggo.app/Contents/MacOS/Incoggo.app")
69'''
70note = """## Triage and analysis
71
72> **Disclaimer**:
73> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
74
75### Investigating WebProxy Settings Modification
76
77Web proxy settings in macOS manage how web traffic is routed, often used to enhance security or manage network traffic. Adversaries may exploit these settings to redirect or intercept web traffic, potentially capturing sensitive data like credentials. The detection rule identifies suspicious use of the `networksetup` command to alter proxy settings, excluding known legitimate applications, thus highlighting potential unauthorized modifications indicative of malicious activity.
78
79### Possible investigation steps
80
81- Review the process details to confirm the use of the networksetup command with arguments like -setwebproxy, -setsecurewebproxy, or -setautoproxyurl, which indicate an attempt to modify web proxy settings.
82- Check the parent process information to ensure it is not one of the known legitimate applications such as /Library/PrivilegedHelperTools/com.80pct.FreedomHelper or /Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi.
83- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious.
84- Examine recent network traffic logs for unusual patterns or connections that could suggest traffic redirection or interception.
85- Look for any additional alerts or logs related to the same host or user that might indicate a broader pattern of suspicious activity.
86- Assess the system for any signs of compromise or unauthorized access, such as unexpected user accounts or changes to system configurations.
87
88### False positive analysis
89
90- Legitimate applications like FreedomHelper, Fiddler Everywhere, and xpcproxy may trigger the rule when they modify proxy settings. To prevent these from being flagged, ensure they are included in the exclusion list of known applications.
91- Network management tools such as Proxyman and Incoggo might also be detected. Add these to the exclusion list to avoid unnecessary alerts.
92- Regular system updates or configurations by IT administrators can sometimes involve proxy setting changes. Coordinate with IT to identify these activities and consider adding them to the exclusion criteria if they are routine and verified as safe.
93- Automated scripts or maintenance tasks that adjust proxy settings for legitimate reasons should be reviewed and, if deemed non-threatening, excluded from detection to reduce false positives.
94- Monitor for any new applications or processes that may need to be added to the exclusion list as part of ongoing security management to ensure the rule remains effective without generating excessive false alerts.
95
96### Response and remediation
97
98- Immediately isolate the affected macOS device from the network to prevent further unauthorized access or data exfiltration.
99- Terminate any suspicious processes related to the `networksetup` command that are not associated with known legitimate applications.
100- Review and reset the web proxy settings on the affected device to their default or intended configuration to ensure no malicious redirection is in place.
101- Conduct a thorough scan of the affected system using updated security tools to identify and remove any malware or unauthorized software that may have been installed.
102- Analyze logs and network traffic to identify any data that may have been intercepted or exfiltrated, focusing on sensitive information such as credentials.
103- Escalate the incident to the security operations team for further investigation and to determine if other systems may be affected.
104- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts promptly."""
105
106
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1539"
111name = "Steal Web Session Cookie"
112reference = "https://attack.mitre.org/techniques/T1539/"
113
114
115[rule.threat.tactic]
116id = "TA0006"
117name = "Credential Access"
118reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating WebProxy Settings Modification
Web proxy settings in macOS manage how web traffic is routed, often used to enhance security or manage network traffic. Adversaries may exploit these settings to redirect or intercept web traffic, potentially capturing sensitive data like credentials. The detection rule identifies suspicious use of the networksetup
command to alter proxy settings, excluding known legitimate applications, thus highlighting potential unauthorized modifications indicative of malicious activity.
Possible investigation steps
- Review the process details to confirm the use of the networksetup command with arguments like -setwebproxy, -setsecurewebproxy, or -setautoproxyurl, which indicate an attempt to modify web proxy settings.
- Check the parent process information to ensure it is not one of the known legitimate applications such as /Library/PrivilegedHelperTools/com.80pct.FreedomHelper or /Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi.
- Investigate the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious.
- Examine recent network traffic logs for unusual patterns or connections that could suggest traffic redirection or interception.
- Look for any additional alerts or logs related to the same host or user that might indicate a broader pattern of suspicious activity.
- Assess the system for any signs of compromise or unauthorized access, such as unexpected user accounts or changes to system configurations.
False positive analysis
- Legitimate applications like FreedomHelper, Fiddler Everywhere, and xpcproxy may trigger the rule when they modify proxy settings. To prevent these from being flagged, ensure they are included in the exclusion list of known applications.
- Network management tools such as Proxyman and Incoggo might also be detected. Add these to the exclusion list to avoid unnecessary alerts.
- Regular system updates or configurations by IT administrators can sometimes involve proxy setting changes. Coordinate with IT to identify these activities and consider adding them to the exclusion criteria if they are routine and verified as safe.
- Automated scripts or maintenance tasks that adjust proxy settings for legitimate reasons should be reviewed and, if deemed non-threatening, excluded from detection to reduce false positives.
- Monitor for any new applications or processes that may need to be added to the exclusion list as part of ongoing security management to ensure the rule remains effective without generating excessive false alerts.
Response and remediation
- Immediately isolate the affected macOS device from the network to prevent further unauthorized access or data exfiltration.
- Terminate any suspicious processes related to the
networksetup
command that are not associated with known legitimate applications. - Review and reset the web proxy settings on the affected device to their default or intended configuration to ensure no malicious redirection is in place.
- Conduct a thorough scan of the affected system using updated security tools to identify and remove any malware or unauthorized software that may have been installed.
- Analyze logs and network traffic to identify any data that may have been intercepted or exfiltrated, focusing on sensitive information such as credentials.
- Escalate the incident to the security operations team for further investigation and to determine if other systems may be affected.
- Implement enhanced monitoring and alerting for similar activities across the network to detect and respond to future attempts promptly.
References
Related rules
- Access to Keychain Credentials Directories
- Dumping Account Hashes via Built-In Commands
- Dumping of Keychain Content via Security Command
- Kerberos Cached Credentials Dumping
- Keychain Password Retrieval via Command Line