Remote SSH Login Enabled via systemsetup Command

  1[metadata]
  2creation_date = "2020/08/18"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "Detects use of the systemsetup command to enable remote SSH Login."
 10from = "now-9m"
 11index = ["logs-endpoint.events.*"]
 12language = "kuery"
 13license = "Elastic License v2"
 14name = "Remote SSH Login Enabled via systemsetup Command"
 15references = [
 16    "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
 17    "https://ss64.com/osx/systemsetup.html",
 18    "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac",
 19]
 20risk_score = 47
 21rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc"
 22setup = """## Setup
 23
 24This rule requires data coming in from Elastic Defend.
 25
 26### Elastic Defend Integration Setup
 27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 28
 29#### Prerequisite Requirements:
 30- Fleet is required for Elastic Defend.
 31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 32
 33#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 34- Go to the Kibana home page and click "Add integrations".
 35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 36- Click "Add Elastic Defend".
 37- Configure the integration name and optionally add a description.
 38- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "medium"
 48tags = [
 49    "Domain: Endpoint",
 50    "OS: macOS",
 51    "Use Case: Threat Detection",
 52    "Tactic: Lateral Movement",
 53    "Data Source: Elastic Defend",
 54    "Resources: Investigation Guide",
 55]
 56timestamp_override = "event.ingested"
 57type = "query"
 58
 59query = '''
 60event.category:process and host.os.type:macos and event.type:(start or process_started) and
 61 process.name:systemsetup and
 62 process.args:("-setremotelogin" and on) and
 63 not process.parent.executable : /usr/local/jamf/bin/jamf
 64'''
 65note = """## Triage and analysis
 66
 67> **Disclaimer**:
 68> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 69
 70### Investigating Remote SSH Login Enabled via systemsetup Command
 71
 72The `systemsetup` command in macOS is a utility that allows administrators to configure system settings, including enabling remote SSH login, which facilitates remote management and access. Adversaries may exploit this to gain unauthorized access and move laterally within a network. The detection rule identifies suspicious use of `systemsetup` to enable SSH, excluding legitimate administrative tools, by monitoring process execution patterns and arguments.
 73
 74### Possible investigation steps
 75
 76- Review the process execution details to confirm the use of the systemsetup command with the arguments "-setremotelogin" and "on" to ensure the alert is not a false positive.
 77- Check the parent process of the systemsetup command to identify if it was executed by a known administrative tool or script, excluding /usr/local/jamf/bin/jamf as per the rule.
 78- Investigate the user account associated with the process execution to determine if it is a legitimate administrator or a potentially compromised account.
 79- Examine recent login events and SSH access logs on the host to identify any unauthorized access attempts or successful logins following the enabling of remote SSH login.
 80- Correlate this event with other security alerts or logs from the same host or network segment to identify potential lateral movement or further malicious activity.
 81
 82### False positive analysis
 83
 84- Legitimate administrative tools like Jamf may trigger this rule when enabling SSH for authorized management purposes. To handle this, ensure that the process parent executable path for Jamf is correctly excluded in the detection rule.
 85- Automated scripts used for system configuration and maintenance might enable SSH as part of their routine operations. Review these scripts and, if verified as safe, add their parent process paths to the exclusion list.
 86- IT support activities that require temporary SSH access for troubleshooting can also cause false positives. Document these activities and consider scheduling them during known maintenance windows to reduce alerts.
 87- Security software or management tools that periodically check or modify system settings could inadvertently trigger this rule. Identify these tools and exclude their specific process paths if they are confirmed to be non-threatening.
 88
 89### Response and remediation
 90
 91- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.
 92- Terminate any suspicious or unauthorized SSH sessions that are currently active on the affected system.
 93- Review and revoke any unauthorized SSH keys or credentials that may have been added to the system.
 94- Conduct a thorough examination of the system logs to identify any additional unauthorized activities or changes made by the adversary.
 95- Restore the system to a known good state from a backup taken before the unauthorized SSH access was enabled, if possible.
 96- Implement network segmentation to limit SSH access to only trusted administrative systems and users.
 97- Escalate the incident to the security operations team for further investigation and to determine if additional systems have been compromised."""
 98
 99
100[[rule.threat]]
101framework = "MITRE ATT&CK"
102[[rule.threat.technique]]
103id = "T1021"
104name = "Remote Services"
105reference = "https://attack.mitre.org/techniques/T1021/"
106[[rule.threat.technique.subtechnique]]
107id = "T1021.004"
108name = "SSH"
109reference = "https://attack.mitre.org/techniques/T1021/004/"
110
111
112
113[rule.threat.tactic]
114id = "TA0008"
115name = "Lateral Movement"
116reference = "https://attack.mitre.org/tactics/TA0008/"