Potential Privacy Control Bypass via Localhost Secure Copy

  1[metadata]
  2creation_date = "2020/01/11"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell
 11Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS
 12privacy controls to access sensitive files.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.process*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Potential Privacy Control Bypass via Localhost Secure Copy"
 19references = [
 20    "https://www.trendmicro.com/en_us/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html",
 21]
 22risk_score = 73
 23rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d"
 24setup = """## Setup
 25
 26This rule requires data coming in from Elastic Defend.
 27
 28### Elastic Defend Integration Setup
 29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 30
 31#### Prerequisite Requirements:
 32- Fleet is required for Elastic Defend.
 33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 34
 35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 36- Go to the Kibana home page and click "Add integrations".
 37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 38- Click "Add Elastic Defend".
 39- Configure the integration name and optionally add a description.
 40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 45- Click "Save and Continue".
 46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 48"""
 49severity = "high"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: macOS",
 53    "Use Case: Threat Detection",
 54    "Tactic: Privilege Escalation",
 55    "Tactic: Defense Evasion",
 56    "Data Source: Elastic Defend",
 57    "Resources: Investigation Guide",
 58]
 59timestamp_override = "event.ingested"
 60type = "eql"
 61
 62query = '''
 63process where host.os.type == "macos" and event.type in ("start", "process_started") and
 64 process.name == "scp" and
 65 process.args like~ "StrictHostKeyChecking=no" and
 66 process.command_line : ("scp *localhost:/*", "scp *127.0.0.1:/*") and
 67 not process.args : "vagrant@*127.0.0.1*"
 68'''
 69note = """## Triage and analysis
 70
 71> **Disclaimer**:
 72> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 73
 74### Investigating Potential Privacy Control Bypass via Localhost Secure Copy
 75
 76Secure Copy Protocol (SCP) is used for secure file transfers over SSH. On macOS, SSH daemon inclusion in the Full Disk Access list can be exploited to bypass privacy controls. Adversaries may misuse SCP to locally copy files, evading security measures. The detection rule identifies such activity by monitoring SCP commands targeting localhost, excluding benign uses like Vagrant, to flag potential privacy control bypass attempts.
 77
 78### Possible investigation steps
 79
 80- Review the process details to confirm the presence of SCP commands targeting localhost or 127.0.0.1, as indicated by the process.command_line field.
 81- Check the process.args field for the presence of "StrictHostKeyChecking=no" to verify if the SCP command was executed with potentially insecure settings.
 82- Investigate the user account associated with the SCP command to determine if it is a legitimate user or potentially compromised.
 83- Examine the timing and frequency of the SCP command execution to identify any unusual patterns or repeated attempts that may indicate malicious activity.
 84- Cross-reference the alert with other security logs or alerts to identify any related suspicious activities or anomalies around the same timeframe.
 85- Assess the system for any unauthorized changes or access to sensitive files that may have occurred as a result of the SCP command execution.
 86
 87### False positive analysis
 88
 89- Vagrant usage can trigger false positives due to its legitimate use of SCP for local file transfers. To mitigate this, ensure that Vagrant-related SCP commands are excluded by refining the detection rule to ignore processes with arguments containing "vagrant@*127.0.0.1*".
 90- Development and testing environments may frequently use SCP to localhost for legitimate purposes. Consider creating exceptions for known development tools or scripts that regularly perform these actions to reduce noise.
 91- Automated backup solutions might use SCP to copy files locally as part of their routine operations. Identify and whitelist these processes to prevent them from being flagged as potential threats.
 92- System administrators may use SCP for local file management tasks. Establish a list of trusted administrator accounts or specific command patterns that can be safely excluded from triggering alerts.
 93- Continuous integration and deployment pipelines might involve SCP commands to localhost. Review and exclude these processes if they are part of a controlled and secure workflow.
 94
 95### Response and remediation
 96
 97- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
 98- Terminate any suspicious SCP processes identified in the alert to halt ongoing unauthorized file transfers.
 99- Conduct a thorough review of the system's Full Disk Access list to identify and remove any unauthorized applications, including the SSH daemon if it was added without proper authorization.
100- Analyze the system's SSH configuration and logs to identify any unauthorized changes or access patterns, and revert any suspicious modifications.
101- Reset credentials for any accounts that may have been compromised, focusing on those with SSH access, and enforce the use of strong, unique passwords.
102- Implement network monitoring to detect and alert on any future SCP commands targeting localhost, especially those bypassing host key checks.
103- Escalate the incident to the security operations team for further investigation and to assess the potential impact on sensitive data, ensuring compliance with organizational incident response protocols."""
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1548"
110name = "Abuse Elevation Control Mechanism"
111reference = "https://attack.mitre.org/techniques/T1548/"
112
113
114[rule.threat.tactic]
115id = "TA0005"
116name = "Defense Evasion"
117reference = "https://attack.mitre.org/tactics/TA0005/"
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1548"
122name = "Abuse Elevation Control Mechanism"
123reference = "https://attack.mitre.org/techniques/T1548/"
124
125
126[rule.threat.tactic]
127id = "TA0004"
128name = "Privilege Escalation"
129reference = "https://attack.mitre.org/tactics/TA0004/"