Modification of Safari Settings via Defaults Command

  1[metadata]
  2creation_date = "2021/01/14"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or
 11disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users
 12browser.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Modification of Safari Settings via Defaults Command"
 19references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"]
 20risk_score = 47
 21rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae"
 22setup = """## Setup
 23
 24This rule requires data coming in from Elastic Defend.
 25
 26### Elastic Defend Integration Setup
 27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 28
 29#### Prerequisite Requirements:
 30- Fleet is required for Elastic Defend.
 31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 32
 33#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 34- Go to the Kibana home page and click "Add integrations".
 35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 36- Click "Add Elastic Defend".
 37- Configure the integration name and optionally add a description.
 38- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "medium"
 48tags = [
 49    "Domain: Endpoint",
 50    "OS: macOS",
 51    "Use Case: Threat Detection",
 52    "Tactic: Defense Evasion",
 53    "Data Source: Elastic Defend",
 54    "Resources: Investigation Guide",
 55]
 56timestamp_override = "event.ingested"
 57type = "query"
 58
 59query = '''
 60event.category:process and host.os.type:macos and event.type:start and
 61  process.name:defaults and process.args:
 62    (com.apple.Safari and write and not
 63      (
 64      UniversalSearchEnabled or
 65      SuppressSearchSuggestions or
 66      WebKitTabToLinksPreferenceKey or
 67      ShowFullURLInSmartSearchField or
 68      com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks
 69      )
 70    )
 71'''
 72note = """## Triage and analysis
 73
 74> **Disclaimer**:
 75> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 76
 77### Investigating Modification of Safari Settings via Defaults Command
 78
 79The 'defaults' command in macOS is a utility that allows users to read, write, and manage macOS application preferences, including Safari settings. Adversaries may exploit this command to alter Safari configurations, potentially enabling harmful features like JavaScript from Apple Events, which can facilitate browser hijacking. The detection rule monitors for suspicious 'defaults' command usage targeting Safari settings, excluding benign preference changes, to identify potential defense evasion attempts.
 80
 81### Possible investigation steps
 82
 83- Review the process execution details to confirm the use of the 'defaults' command with arguments targeting Safari settings, specifically looking for any suspicious or unauthorized changes.
 84- Check the user account associated with the process execution to determine if the action was performed by a legitimate user or an unauthorized entity.
 85- Investigate the system's recent activity logs to identify any other unusual or suspicious behavior around the time the 'defaults' command was executed.
 86- Examine the Safari settings before and after the change to assess the impact and identify any potentially harmful configurations, such as enabling JavaScript from Apple Events.
 87- Correlate the event with other security alerts or incidents to determine if this action is part of a broader attack or compromise attempt.
 88
 89### False positive analysis
 90
 91- Changes to Safari settings for legitimate user preferences can trigger alerts, such as enabling or disabling search suggestions. Users can create exceptions for these specific settings by excluding them from the detection rule.
 92- System administrators may use the defaults command to configure Safari settings across multiple devices for compliance or user experience improvements. These actions can be whitelisted by identifying the specific process arguments used in these administrative tasks.
 93- Automated scripts or management tools that adjust Safari settings as part of routine maintenance or updates may cause false positives. Users should identify these scripts and exclude their specific process arguments from the detection rule.
 94- Developers testing Safari configurations might frequently change settings using the defaults command. Excluding known developer machines or user accounts from the rule can help reduce false positives.
 95- Educational or training environments where users are instructed to modify Safari settings for learning purposes can lead to alerts. Identifying and excluding these environments or sessions can mitigate unnecessary alerts.
 96
 97### Response and remediation
 98
 99- Immediately isolate the affected macOS device from the network to prevent further malicious activity or data exfiltration.
100- Terminate any suspicious processes related to the 'defaults' command that are currently running on the affected device.
101- Revert any unauthorized changes made to Safari settings by restoring them to their default or previously known safe state.
102- Conduct a thorough scan of the affected device using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any additional malware or malicious scripts.
103- Review and update the device's security settings to prevent unauthorized changes, including disabling unnecessary Apple Events and restricting the use of the 'defaults' command to authorized personnel only.
104- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if other devices in the network are affected.
105- Implement enhanced monitoring and alerting for similar 'defaults' command usage across the network to detect and respond to future attempts promptly."""
106
107
108[[rule.threat]]
109framework = "MITRE ATT&CK"
110[[rule.threat.technique]]
111id = "T1562"
112name = "Impair Defenses"
113reference = "https://attack.mitre.org/techniques/T1562/"
114[[rule.threat.technique.subtechnique]]
115id = "T1562.001"
116name = "Disable or Modify Tools"
117reference = "https://attack.mitre.org/techniques/T1562/001/"
118
119
120
121[rule.threat.tactic]
122id = "TA0005"
123name = "Defense Evasion"
124reference = "https://attack.mitre.org/tactics/TA0005/"