Modification of Environment Variable via Launchctl

Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/14"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/02/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their
13own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain
14restrictions.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Modification of Environment Variable via Launchctl"
21references = [
22    "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb",
23]
24risk_score = 47
25rule_id = "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1"
26severity = "medium"
27tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.category:process and host.os.type:macos and event.type:start and
33  process.name:launchctl and
34  process.args:(setenv and not (JAVA*_HOME or
35                                RUNTIME_JAVA_HOME or
36                                DBUS_LAUNCHD_SESSION_BUS_SOCKET or
37                                ANT_HOME or
38                                LG_WEBOS_TV_SDK_HOME or
39                                WEBOS_CLI_TV or
40                                EDEN_ENV)
41                ) and
42  not process.parent.executable:("/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
43                                 "/usr/local/bin/kr" or
44                                 "/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
45                                 "/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper") and
46  not process.args : "*.vmoptions"
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1574"
54name = "Hijack Execution Flow"
55reference = "https://attack.mitre.org/techniques/T1574/"
56[[rule.threat.technique.subtechnique]]
57id = "T1574.007"
58name = "Path Interception by PATH Environment Variable"
59reference = "https://attack.mitre.org/techniques/T1574/007/"
60
61
62
63[rule.threat.tactic]
64id = "TA0005"
65name = "Defense Evasion"
66reference = "https://attack.mitre.org/tactics/TA0005/"

to-top