Modification of Environment Variable via Unsigned or Untrusted Parent

  1[metadata]
  2creation_date = "2021/01/14"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their
 11own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain
 12restrictions.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Modification of Environment Variable via Unsigned or Untrusted Parent"
 19references = [
 20    "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb",
 21]
 22risk_score = 47
 23rule_id = "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1"
 24setup = """## Setup
 25
 26This rule requires data coming in from Elastic Defend.
 27
 28### Elastic Defend Integration Setup
 29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 30
 31#### Prerequisite Requirements:
 32- Fleet is required for Elastic Defend.
 33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 34
 35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 36- Go to the Kibana home page and click "Add integrations".
 37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 38- Click "Add Elastic Defend".
 39- Configure the integration name and optionally add a description.
 40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 45- Click "Save and Continue".
 46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 48"""
 49severity = "medium"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: macOS",
 53    "Use Case: Threat Detection",
 54    "Tactic: Defense Evasion",
 55    "Data Source: Elastic Defend",
 56    "Resources: Investigation Guide",
 57]
 58timestamp_override = "event.ingested"
 59type = "query"
 60
 61query = '''
 62event.category:process and host.os.type:macos and event.type:start and
 63  process.name:launchctl and
 64  (process.parent.code_signature.exists : false or process.parent.code_signature.trusted : false) and
 65  process.args:(setenv and not (ANT_HOME or
 66                                DBUS_LAUNCHD_SESSION_BUS_SOCKET or
 67                                EDEN_ENV or
 68                                LG_WEBOS_TV_SDK_HOME or
 69                                RUNTIME_JAVA_HOME or
 70                                WEBOS_CLI_TV or
 71                                JAVA*_HOME) and
 72                not *.vmoptions) and
 73  not process.parent.executable:("/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper" or
 74                                  /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or
 75                                  /Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin or
 76                                  /usr/local/bin/kr)
 77'''
 78note = """## Triage and analysis
 79
 80> **Disclaimer**:
 81> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 82
 83### Investigating Modification of Environment Variable via Unsigned or Untrusted Parent
 84
 85Environment variables in macOS are crucial for configuring system and application behavior. Adversaries may exploit these by using the `launchctl` command to alter variables, enabling malicious payload execution or bypassing restrictions. The detection rule identifies suspicious modifications initiated by untrusted or unsigned parent processes, focusing on atypical environment variables and excluding known safe executables, thus highlighting potential threats.
 86
 87### Possible investigation steps
 88
 89- Review the process tree to identify the parent process of the `launchctl` command, focusing on whether the parent process is unsigned or untrusted, as indicated by the absence or lack of trust in the `process.parent.code_signature`.
 90- Examine the command-line arguments used with `launchctl`, specifically looking for the `setenv` command and any unusual or suspicious environment variables that are not part of the known safe list (e.g., ANT_HOME, DBUS_LAUNCHD_SESSION_BUS_SOCKET).
 91- Check the execution path of the parent process to determine if it matches any known safe executables, such as those listed in the exclusion criteria (e.g., /Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper).
 92- Investigate the user account under which the `launchctl` command was executed to determine if it aligns with expected behavior or if it might indicate a compromised account.
 93- Correlate this event with other security alerts or logs from the same host to identify any patterns or additional indicators of compromise that might suggest a broader attack or intrusion attempt.
 94
 95### False positive analysis
 96
 97- Development tools like IntelliJ IDEA may trigger false positives when using the jspawnhelper executable. To mitigate this, add the executable path to the exclusion list if it is a known and trusted application in your environment.
 98- NoMachine software can cause false positives due to its use of nxserver.bin. If this software is regularly used and trusted, consider excluding its executable path from the detection rule.
 99- The kr tool located at /usr/local/bin/kr might be flagged as a false positive. If this tool is part of your standard operations, ensure its path is excluded to prevent unnecessary alerts.
100- Review any other unsigned or untrusted parent processes that are part of legitimate software installations or operations. If they are verified as safe, add them to the exclusion list to reduce false positives.
101- Regularly update the list of known safe executables and environment variables to reflect changes in your software inventory, ensuring that legitimate processes are not mistakenly flagged.
102
103### Response and remediation
104
105- Immediately isolate the affected macOS system from the network to prevent potential lateral movement or further exploitation.
106- Terminate any suspicious processes associated with the untrusted or unsigned parent process that initiated the `launchctl` command to halt any ongoing malicious activity.
107- Conduct a thorough review of the environment variables modified by the `launchctl` command to identify any unauthorized changes and revert them to their original state.
108- Analyze the parent process that triggered the alert to determine its origin and purpose, and remove any malicious or unauthorized software identified during this analysis.
109- Restore the system from a known good backup if any critical system components or configurations have been compromised.
110- Implement additional monitoring and logging for `launchctl` usage and environment variable modifications to detect similar threats in the future.
111- Escalate the incident to the security operations team for further investigation and to assess the need for broader organizational response measures."""
112
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1574"
118name = "Hijack Execution Flow"
119reference = "https://attack.mitre.org/techniques/T1574/"
120[[rule.threat.technique.subtechnique]]
121id = "T1574.007"
122name = "Path Interception by PATH Environment Variable"
123reference = "https://attack.mitre.org/techniques/T1574/007/"
124
125
126
127[rule.threat.tactic]
128id = "TA0005"
129name = "Defense Evasion"
130reference = "https://attack.mitre.org/tactics/TA0005/"