Virtual Private Network Connection Attempt

  1[metadata]
  2creation_date = "2020/01/25"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries
 11may use VPN connections to laterally move and control remote systems on a network.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Virtual Private Network Connection Attempt"
 18references = [
 19    "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/osx/manage/vpn.rb",
 20    "https://www.unix.com/man-page/osx/8/networksetup/",
 21    "https://superuser.com/questions/358513/start-configured-vpn-from-command-line-osx",
 22]
 23risk_score = 21
 24rule_id = "15dacaa0-5b90-466b-acab-63435a59701a"
 25setup = """## Setup
 26
 27This rule requires data coming in from Elastic Defend.
 28
 29### Elastic Defend Integration Setup
 30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49"""
 50severity = "low"
 51tags = [
 52    "Domain: Endpoint",
 53    "OS: macOS",
 54    "Use Case: Threat Detection",
 55    "Tactic: Lateral Movement",
 56    "Data Source: Elastic Defend",
 57    "Resources: Investigation Guide",
 58]
 59timestamp_override = "event.ingested"
 60type = "eql"
 61
 62query = '''
 63process where host.os.type == "macos" and event.type in ("start", "process_started") and
 64  (
 65    (process.name : "networksetup" and process.args : "-connectpppoeservice") or
 66    (process.name : "scutil" and process.args : "--nc" and process.args : "start") or
 67    (process.name : "osascript" and process.command_line : "osascript*set VPN to service*")
 68  )
 69'''
 70note = """## Triage and analysis
 71
 72> **Disclaimer**:
 73> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 74
 75### Investigating Virtual Private Network Connection Attempt
 76
 77Virtual Private Networks (VPNs) are used to securely connect to remote networks, encrypting data and masking IP addresses. Adversaries may exploit VPNs to move laterally within a network, gaining unauthorized access to systems. The detection rule identifies suspicious VPN connection attempts on macOS by monitoring specific command executions, helping to flag potential misuse for further investigation.
 78
 79### Possible investigation steps
 80
 81- Review the process details to confirm the legitimacy of the VPN connection attempt by examining the process name and arguments, such as "networksetup" with "-connectpppoeservice", "scutil" with "--nc start", or "osascript" with "osascript*set VPN to service*".
 82- Check the user account associated with the process to determine if the activity aligns with their typical behavior or if it appears suspicious.
 83- Investigate the source IP address and destination network to assess if the connection is to a known and trusted network or if it is unusual for the environment.
 84- Analyze historical data for similar VPN connection attempts from the same user or device to identify patterns or repeated unauthorized access attempts.
 85- Correlate the VPN connection attempt with other security events or alerts to identify potential lateral movement or further malicious activity within the network.
 86
 87### False positive analysis
 88
 89- Legitimate VPN usage by IT staff or network administrators may trigger the rule. To manage this, create exceptions for known user accounts or specific times when VPN maintenance is scheduled.
 90- Automated scripts or applications that use macOS built-in commands for VPN connections can cause false positives. Identify these scripts and whitelist their process names or command lines.
 91- Frequent VPN connections from trusted devices or IP addresses might be flagged. Exclude these devices or IPs from the rule to reduce noise.
 92- Users who frequently travel and connect to corporate networks via VPN may trigger alerts. Consider excluding these users or implementing a separate monitoring strategy for their activities.
 93- Regularly review and update the exclusion list to ensure it reflects current network policies and user behaviors, minimizing unnecessary alerts.
 94
 95### Response and remediation
 96
 97- Immediately isolate the affected macOS device from the network to prevent further lateral movement by the adversary.
 98- Terminate any suspicious VPN connections identified by the detection rule to cut off unauthorized access.
 99- Conduct a thorough review of the affected system's VPN configuration and logs to identify any unauthorized changes or connections.
100- Reset credentials and update authentication methods for VPN access to ensure that compromised credentials are not reused.
101- Escalate the incident to the security operations center (SOC) for further analysis and to determine if other systems have been affected.
102- Implement additional monitoring on the network for unusual VPN connection attempts or related suspicious activities to enhance detection capabilities.
103- Review and update VPN access policies to ensure they align with current security best practices and limit access to only necessary users and systems."""
104
105
106[[rule.threat]]
107framework = "MITRE ATT&CK"
108[[rule.threat.technique]]
109id = "T1021"
110name = "Remote Services"
111reference = "https://attack.mitre.org/techniques/T1021/"
112
113
114[rule.threat.tactic]
115id = "TA0008"
116name = "Lateral Movement"
117reference = "https://attack.mitre.org/tactics/TA0008/"