Authorization Plugin Modification
Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/13"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively
13supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature
14to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Authorization Plugin Modification"
21references = [
22 "https://developer.apple.com/documentation/security/authorization_plug-ins",
23 "https://www.xorrior.com/persistent-credential-theft/",
24]
25risk_score = 47
26rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33event.category:file and host.os.type:macos and not event.type:deletion and
34 file.path:(/Library/Security/SecurityAgentPlugins/* and
35 not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and
36 not process.name:shove and process.code_signature.trusted:true
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1547"
44name = "Boot or Logon Autostart Execution"
45reference = "https://attack.mitre.org/techniques/T1547/"
46[[rule.threat.technique.subtechnique]]
47id = "T1547.002"
48name = "Authentication Package"
49reference = "https://attack.mitre.org/techniques/T1547/002/"
50
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"
References
Related rules
- Attempt to Enable the Root Account
- Bash Shell Profile Modification
- Creation of Hidden Launch Agent or Daemon
- Creation of Hidden Login Item via Apple Script
- Emond Rules Creation or Modification