Attempt to Mount SMB Share via Command Line

  1[metadata]
  2creation_date = "2021/01/25"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may
 11use valid accounts to interact with a remote network share using SMB.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Attempt to Mount SMB Share via Command Line"
 18references = ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.com/osx/mount.html"]
 19risk_score = 21
 20rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0"
 21setup = """## Setup
 22
 23This rule requires data coming in from Elastic Defend.
 24
 25### Elastic Defend Integration Setup
 26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 27
 28#### Prerequisite Requirements:
 29- Fleet is required for Elastic Defend.
 30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 31
 32#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 33- Go to the Kibana home page and click "Add integrations".
 34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 35- Click "Add Elastic Defend".
 36- Configure the integration name and optionally add a description.
 37- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 42- Click "Save and Continue".
 43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 45"""
 46severity = "low"
 47tags = [
 48    "Domain: Endpoint",
 49    "OS: macOS",
 50    "Use Case: Threat Detection",
 51    "Tactic: Lateral Movement",
 52    "Data Source: Elastic Defend",
 53    "Resources: Investigation Guide",
 54]
 55timestamp_override = "event.ingested"
 56type = "eql"
 57
 58query = '''
 59process where host.os.type == "macos" and event.type in ("start", "process_started") and
 60  (
 61    process.name : "mount_smbfs" or
 62    (process.name : "open" and process.args : "smb://*") or
 63    (process.name : "mount" and process.args : "smbfs") or
 64    (process.name : "osascript" and process.command_line : "osascript*mount volume*smb://*")
 65  ) and
 66  not process.parent.executable : "/Applications/Google Drive.app/Contents/MacOS/Google Drive"
 67'''
 68note = """## Triage and analysis
 69
 70> **Disclaimer**:
 71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 72
 73### Investigating Attempt to Mount SMB Share via Command Line
 74
 75SMB (Server Message Block) is a protocol used for network file sharing, allowing applications to read and write to files and request services from server programs in a computer network. Adversaries exploit SMB to move laterally within a network by accessing shared resources using valid credentials. The detection rule identifies suspicious command-line activities on macOS, such as using built-in commands to mount SMB shares, which may indicate unauthorized access attempts. It filters out benign processes, like those from Google Drive, to reduce false positives, focusing on potential threats.
 76
 77### Possible investigation steps
 78
 79- Review the process details to confirm the execution of commands like "mount_smbfs", "open", "mount", or "osascript" with arguments indicating an attempt to mount an SMB share.
 80- Check the user account associated with the process to determine if it is a valid and authorized user for accessing SMB shares.
 81- Investigate the source and destination IP addresses involved in the SMB connection attempt to identify if they are known and trusted within the network.
 82- Examine the parent process of the suspicious activity to understand the context and origin of the command execution, ensuring it is not a benign process like Google Drive.
 83- Look for any other related alerts or logs that might indicate lateral movement or unauthorized access attempts within the network.
 84- Assess the risk and impact of the activity by correlating it with other security events or incidents involving the same user or system.
 85
 86### False positive analysis
 87
 88- Google Drive operations can trigger this rule due to its use of SMB for file synchronization. To manage this, exclude processes originating from the Google Drive application by using the provided exception for its executable path.
 89- Legitimate user activities involving manual mounting of SMB shares for accessing network resources may be flagged. To handle this, identify and whitelist specific user accounts or devices that regularly perform these actions as part of their normal workflow.
 90- Automated backup solutions that utilize SMB for network storage access might be detected. Review and exclude these processes by identifying their specific command-line patterns or parent processes.
 91- Development or testing environments where SMB shares are frequently mounted for application testing can cause alerts. Implement exceptions for these environments by specifying known IP addresses or hostnames associated with the test servers.
 92
 93### Response and remediation
 94
 95- Immediately isolate the affected macOS system from the network to prevent further lateral movement by the adversary.
 96- Verify the credentials used in the SMB mount attempt to determine if they have been compromised. Reset passwords and revoke access if necessary.
 97- Conduct a thorough review of recent login activities and access logs on the affected system and any connected SMB shares to identify unauthorized access or data exfiltration.
 98- Remove any unauthorized SMB mounts and ensure that no persistent connections remain active.
 99- Update and patch the macOS system and any related software to mitigate known vulnerabilities that could be exploited for lateral movement.
100- Enhance monitoring and logging on the network to detect future unauthorized SMB mount attempts, focusing on the specific command-line patterns identified in the alert.
101- Escalate the incident to the security operations team for further investigation and to assess the potential impact on the broader network infrastructure."""
102
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106[[rule.threat.technique]]
107id = "T1021"
108name = "Remote Services"
109reference = "https://attack.mitre.org/techniques/T1021/"
110[[rule.threat.technique.subtechnique]]
111id = "T1021.002"
112name = "SMB/Windows Admin Shares"
113reference = "https://attack.mitre.org/techniques/T1021/002/"
114
115
116
117[rule.threat.tactic]
118id = "TA0008"
119name = "Lateral Movement"
120reference = "https://attack.mitre.org/tactics/TA0008/"