System and Network Configuration Check

 1[metadata]
 2creation_date = "2026/01/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/02/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects when the SystemConfiguration preferences plist file is accessed by an unusual or suspicious 
11process. This may indicate an attempt to gain situational awareness on a target system by reading 
12network configuration details.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.file-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "System and Network Configuration Check"
19note = """ ## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating System and Network Configuration Check
25
26This rule flags suspicious processes reading macOS SystemConfiguration preferences, which can reveal network interfaces, DNS settings, and other environment details used to plan lateral movement or data exfiltration. Attackers commonly run scripting runtimes (e.g., Python, AppleScript, Node) or binaries staged in temporary/shared directories to open the preferences plist during early discovery. Catching this access helps identify stealthy reconnaissance before overt network activity begins.
27
28### Possible investigation steps
29
30- Identify the parent process and full execution chain for the accessing process, including any script path/arguments, to determine whether it was launched by an interactive user, management tooling, or a suspicious launcher.  
31- Review the accessing binary’s provenance by checking code signature/notarization status, file hash reputation, and whether it was recently created or executed from temporary/shared directories indicating staging.  
32- Correlate nearby discovery activity on the host (e.g., reads of other system/network plists, execution of `scutil`, `ifconfig`, `networksetup`, or `defaults read`) to assess whether this is part of a broader reconnaissance sequence.  
33- Examine concurrent network activity from the same process (outbound connections, DNS lookups, proxy changes) to identify follow-on behavior consistent with environment mapping or command-and-control.  
34- Validate the behavior against legitimate software on the host (IT management, VPN/endpoint tools, developer workflows) by matching timestamps to user logins, scheduled jobs, and recent installs/updates.
35
36### False positive analysis
37
38- A legitimate IT/admin or troubleshooting script run interactively (e.g., a Python/AppleScript wrapper) may read `/Library/Preferences/SystemConfiguration/preferences.plist` to collect network settings during support, onboarding, or diagnostics.  
39- A developer or automation workflow may execute a temporary or shared-directory runtime (e.g., `node`/`python` unpacked to `/tmp` or `/Users/Shared`) that reads the plist to detect interfaces, DNS, or proxy configuration for environment-aware builds or tests.
40
41### Response and remediation
42
43- Isolate the affected Mac from the network and terminate the offending process tree, then quarantine the on-disk script/binary (especially if staged in /tmp, /private/tmp, /var/tmp, or /Users/Shared) to stop further discovery or follow-on execution.  
44- Collect and preserve artifacts before cleanup, including the suspicious executable/script, its launch mechanism (LaunchAgents/LaunchDaemons, cron, login items), recent shell history, and a copy of /Library/Preferences/SystemConfiguration/preferences.plist metadata for later scoping and forensics.  
45- Eradicate persistence by removing unauthorized launch entries and deleting the staged payloads, then re-scan the host with EDR/AV and verify no additional suspicious interpreters or unsigned tools remain in temporary/shared directories.  
46- Recover by rotating credentials used on the host, reviewing and resetting network settings (DNS, proxy, VPN) if changed, and returning the system to service only after repeated checks show no re-creation of the removed artifacts across a full reboot cycle.  
47- Escalate to incident response immediately if the same process also makes outbound connections, modifies SystemConfiguration plists, or appears on multiple hosts, and initiate enterprise-wide hunting for the file hash and the associated launcher.  
48- Harden by restricting execution from temporary/shared directories, enforcing signed/notarized code where possible, auditing who can read sensitive configuration files, and adding allowlists for known management tools that legitimately access the preferences plist.
49"""
50risk_score = 47
51rule_id = "6e5189c4-d3a5-4114-8cb3-bd3a65713f19"
52severity = "medium"
53tags = [
54    "Domain: Endpoint",
55    "OS: macOS",
56    "Use Case: Threat Detection",
57    "Tactic: Discovery",
58    "Data Source: Elastic Defend",
59    "Resources: Investigation Guide",
60]
61timestamp_override = "event.ingested"
62type = "eql"
63query = '''
64file where host.os.type == "macos" and event.action == "open" and 
65  file.path like "/Library/Preferences/SystemConfiguration/preferences.plist" and
66  (process.name like~ ("python*", "osascript", "perl", "ruby", "node") or 
67   process.executable like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/var/tmp/*", "/private/var/tmp/*")) and
68  not Effective_process.executable like "/Applications/Docker.app/Contents/MacOS/Docker"
69'''
70
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73
74  [rule.threat.tactic]
75  name = "Discovery"
76  id = "TA0007"
77  reference = "https://attack.mitre.org/tactics/TA0007/"
78
79  [[rule.threat.technique]]
80  name = "System Information Discovery"
81  id = "T1082"
82  reference = "https://attack.mitre.org/techniques/T1082/"
83
84  [[rule.threat.technique]]
85  name = "System Network Configuration Discovery"
86  id = "T1016"
87  reference = "https://attack.mitre.org/techniques/T1016/"