SoftwareUpdate Preferences Modification

 1[metadata]
 2creation_date = "2021/01/15"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in
13an attempt to disable security updates.
14"""
15false_positives = ["Authorized SoftwareUpdate Settings Changes"]
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "SoftwareUpdate Preferences Modification"
21references = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"]
22risk_score = 47
23rule_id = "f683dcdf-a018-4801-b066-193d4ae6c8e5"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "query"
28
29query = '''
30event.category:process and host.os.type:macos and event.type:(start or process_started) and
31 process.name:defaults and
32 process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1562"
40name = "Impair Defenses"
41reference = "https://attack.mitre.org/techniques/T1562/"
42[[rule.threat.technique.subtechnique]]
43id = "T1562.001"
44name = "Disable or Modify Tools"
45reference = "https://attack.mitre.org/techniques/T1562/001/"
46
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"