Modification of Safari Settings via Defaults Command
Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/14"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or
13disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users
14browser.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Modification of Safari Settings via Defaults Command"
21references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"]
22risk_score = 47
23rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "query"
28
29query = '''
30event.category:process and host.os.type:macos and event.type:start and
31 process.name:defaults and process.args:
32 (com.apple.Safari and write and not
33 (
34 UniversalSearchEnabled or
35 SuppressSearchSuggestions or
36 WebKitTabToLinksPreferenceKey or
37 ShowFullURLInSmartSearchField or
38 com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks
39 )
40 )
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1562"
48name = "Impair Defenses"
49reference = "https://attack.mitre.org/techniques/T1562/"
50[[rule.threat.technique.subtechnique]]
51id = "T1562.001"
52name = "Disable or Modify Tools"
53reference = "https://attack.mitre.org/techniques/T1562/001/"
54
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Attempt to Disable Gatekeeper
- Attempt to Install Root Certificate
- Attempt to Remove File Quarantine Attribute
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Creation of Hidden Launch Agent or Daemon