Attempt to Unload Elastic Endpoint Security Kernel Extension

  1[metadata]
  2creation_date = "2020/01/05"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command."
 10from = "now-9m"
 11index = ["logs-endpoint.events.*"]
 12language = "eql"
 13license = "Elastic License v2"
 14name = "Attempt to Unload Elastic Endpoint Security Kernel Extension"
 15risk_score = 73
 16rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24"
 17setup = """## Setup
 18
 19This rule requires data coming in from Elastic Defend.
 20
 21### Elastic Defend Integration Setup
 22Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 23
 24#### Prerequisite Requirements:
 25- Fleet is required for Elastic Defend.
 26- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 27
 28#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 29- Go to the Kibana home page and click "Add integrations".
 30- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 31- Click "Add Elastic Defend".
 32- Configure the integration name and optionally add a description.
 33- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 34- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 35- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 36- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 37For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 38- Click "Save and Continue".
 39- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 40For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 41"""
 42severity = "high"
 43tags = [
 44    "Domain: Endpoint",
 45    "OS: macOS",
 46    "Use Case: Threat Detection",
 47    "Tactic: Defense Evasion",
 48    "Data Source: Elastic Defend",
 49    "Resources: Investigation Guide",
 50]
 51timestamp_override = "event.ingested"
 52type = "eql"
 53
 54query = '''
 55process where host.os.type == "macos" and event.type in ("start", "process_started") and
 56 process.name == "kextunload" and process.args like~ ("/System/Library/Extensions/EndpointSecurity.kext", "EndpointSecurity.kext")
 57'''
 58note = """## Triage and analysis
 59
 60> **Disclaimer**:
 61> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 62
 63### Investigating Attempt to Unload Elastic Endpoint Security Kernel Extension
 64
 65Elastic Endpoint Security's kernel extension is crucial for monitoring and protecting macOS systems by intercepting and analyzing system-level events. Adversaries may attempt to unload this extension using the `kextunload` command to evade detection and impair defenses. The detection rule identifies such attempts by monitoring process events related to the `kextunload` command targeting the security extension, flagging potential defense evasion activities.
 66
 67### Possible investigation steps
 68
 69- Review the process event details to confirm the presence of the `kextunload` command targeting "EndpointSecurity.kext" in the process arguments.
 70- Identify the user account associated with the process event to determine if the action was initiated by an authorized or suspicious user.
 71- Check the host's recent activity logs for any other unusual or unauthorized actions that might indicate a broader attack or compromise.
 72- Investigate the source of the command execution by examining the parent process and any related processes to understand how the `kextunload` command was initiated.
 73- Assess the system for any signs of tampering or additional indicators of compromise, such as unauthorized file modifications or unexpected network connections.
 74- Correlate this event with other alerts or logs from the same host or user to identify potential patterns or coordinated activities.
 75
 76### False positive analysis
 77
 78- System administrators performing routine maintenance may trigger the rule when testing or updating kernel extensions. To manage this, create exceptions for known maintenance activities by whitelisting specific user accounts or processes during scheduled maintenance windows.
 79- Legitimate software updates or installations that require unloading the kernel extension might be flagged. To handle this, monitor and document regular update schedules and create exceptions for these activities, ensuring they align with expected update patterns.
 80- Security testing or audits conducted by authorized personnel could also trigger the rule. Implement a process to temporarily disable the rule or whitelist specific testing tools and accounts during these audits to prevent false positives.
 81- Development environments where kernel extensions are frequently loaded and unloaded for testing purposes may generate alerts. Consider setting up a separate monitoring profile for development systems with adjusted thresholds or exceptions to accommodate these activities.
 82
 83### Response and remediation
 84
 85- Immediately isolate the affected macOS system from the network to prevent further unauthorized actions or potential lateral movement by the adversary.
 86- Terminate any unauthorized processes related to the `kextunload` command to stop the attempt to unload the Elastic Endpoint Security kernel extension.
 87- Conduct a thorough review of system logs and process execution history to identify any additional suspicious activities or indicators of compromise associated with the adversary's attempt.
 88- Restore the Elastic Endpoint Security kernel extension if it was successfully unloaded, ensuring that the system's protective measures are fully operational.
 89- Update and patch the macOS system and all security software to the latest versions to mitigate any known vulnerabilities that could be exploited by adversaries.
 90- Implement additional monitoring and alerting for any future attempts to execute the `kextunload` command, particularly targeting security-related kernel extensions.
 91- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if broader organizational defenses need to be adjusted."""
 92
 93
 94[[rule.threat]]
 95framework = "MITRE ATT&CK"
 96[[rule.threat.technique]]
 97id = "T1562"
 98name = "Impair Defenses"
 99reference = "https://attack.mitre.org/techniques/T1562/"
100[[rule.threat.technique.subtechnique]]
101id = "T1562.001"
102name = "Disable or Modify Tools"
103reference = "https://attack.mitre.org/techniques/T1562/001/"
104
105
106
107[rule.threat.tactic]
108id = "TA0005"
109name = "Defense Evasion"
110reference = "https://attack.mitre.org/tactics/TA0005/"
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1547"
115name = "Boot or Logon Autostart Execution"
116reference = "https://attack.mitre.org/techniques/T1547/"
117[[rule.threat.technique.subtechnique]]
118id = "T1547.006"
119name = "Kernel Modules and Extensions"
120reference = "https://attack.mitre.org/techniques/T1547/006/"
121
122
123
124[rule.threat.tactic]
125id = "TA0003"
126name = "Persistence"
127reference = "https://attack.mitre.org/tactics/TA0003/"