Attempt to Unload Elastic Endpoint Security Kernel Extension
Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/01/05"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command."
12from = "now-9m"
13index = ["auditbeat-*", "logs-endpoint.events.*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Attempt to Unload Elastic Endpoint Security Kernel Extension"
17risk_score = 73
18rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24"
19severity = "high"
20tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
21timestamp_override = "event.ingested"
22type = "query"
23
24query = '''
25event.category:process and host.os.type:macos and event.type:(start or process_started) and
26 process.name:kextunload and process.args:("/System/Library/Extensions/EndpointSecurity.kext" or "EndpointSecurity.kext")
27'''
28
29
30[[rule.threat]]
31framework = "MITRE ATT&CK"
32[[rule.threat.technique]]
33id = "T1562"
34name = "Impair Defenses"
35reference = "https://attack.mitre.org/techniques/T1562/"
36[[rule.threat.technique.subtechnique]]
37id = "T1562.001"
38name = "Disable or Modify Tools"
39reference = "https://attack.mitre.org/techniques/T1562/001/"
40
41
42
43[rule.threat.tactic]
44id = "TA0005"
45name = "Defense Evasion"
46reference = "https://attack.mitre.org/tactics/TA0005/"
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1547"
51name = "Boot or Logon Autostart Execution"
52reference = "https://attack.mitre.org/techniques/T1547/"
53[[rule.threat.technique.subtechnique]]
54id = "T1547.006"
55name = "Kernel Modules and Extensions"
56reference = "https://attack.mitre.org/techniques/T1547/006/"
57
58
59
60[rule.threat.tactic]
61id = "TA0003"
62name = "Persistence"
63reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Attempt to Disable Gatekeeper
- Attempt to Install Root Certificate
- Attempt to Remove File Quarantine Attribute
- Creation of Hidden Launch Agent or Daemon
- Elastic Agent Service Terminated