Modification of Safari Settings via Defaults Command

Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/14"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or
13disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users
14browser.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Modification of Safari Settings via Defaults Command"
21references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"]
22risk_score = 47
23rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
26timestamp_override = "event.ingested"
27type = "query"
28
29query = '''
30event.category:process and host.os.type:macos and event.type:start and
31  process.name:defaults and process.args:
32    (com.apple.Safari and write and not
33      (
34      UniversalSearchEnabled or
35      SuppressSearchSuggestions or
36      WebKitTabToLinksPreferenceKey or
37      ShowFullURLInSmartSearchField or
38      com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks
39      )
40    )
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1562"
48name = "Impair Defenses"
49reference = "https://attack.mitre.org/techniques/T1562/"
50[[rule.threat.technique.subtechnique]]
51id = "T1562.001"
52name = "Disable or Modify Tools"
53reference = "https://attack.mitre.org/techniques/T1562/001/"
54
55
56
57[rule.threat.tactic]
58id = "TA0005"
59name = "Defense Evasion"
60reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top