Authorization Plugin Modification

Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/01/13"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively
13supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature
14to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Authorization Plugin Modification"
21references = [
22    "https://developer.apple.com/documentation/security/authorization_plug-ins",
23    "https://www.xorrior.com/persistent-credential-theft/",
24]
25risk_score = 47
26rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33event.category:file and host.os.type:macos and not event.type:deletion and
34  file.path:(/Library/Security/SecurityAgentPlugins/* and
35  not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/*) and
36  not process.name:shove and process.code_signature.trusted:true
37'''
38
39
40[[rule.threat]]
41framework = "MITRE ATT&CK"
42[[rule.threat.technique]]
43id = "T1547"
44name = "Boot or Logon Autostart Execution"
45reference = "https://attack.mitre.org/techniques/T1547/"
46[[rule.threat.technique.subtechnique]]
47id = "T1547.002"
48name = "Authentication Package"
49reference = "https://attack.mitre.org/techniques/T1547/002/"
50
51
52
53[rule.threat.tactic]
54id = "TA0003"
55name = "Persistence"
56reference = "https://attack.mitre.org/tactics/TA0003/"

References

Related rules

to-top