Suspicious Hidden Child Process of Launchd
Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/01/07"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by
13installing a new logon item, launch agent, or daemon that executes upon login.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Suspicious Hidden Child Process of Launchd"
20references = [
21 "https://objective-see.com/blog/blog_0x61.html",
22 "https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/",
23 "https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html",
24]
25risk_score = 47
26rule_id = "083fa162-e790-4d85-9aeb-4fea04188adb"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33event.category:process and host.os.type:macos and event.type:(start or process_started) and
34 process.name:.* and process.parent.executable:/sbin/launchd
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1543"
42name = "Create or Modify System Process"
43reference = "https://attack.mitre.org/techniques/T1543/"
44[[rule.threat.technique.subtechnique]]
45id = "T1543.001"
46name = "Launch Agent"
47reference = "https://attack.mitre.org/techniques/T1543/001/"
48
49
50
51[rule.threat.tactic]
52id = "TA0003"
53name = "Persistence"
54reference = "https://attack.mitre.org/tactics/TA0003/"
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1564"
59name = "Hide Artifacts"
60reference = "https://attack.mitre.org/techniques/T1564/"
61[[rule.threat.technique.subtechnique]]
62id = "T1564.001"
63name = "Hidden Files and Directories"
64reference = "https://attack.mitre.org/techniques/T1564/001/"
65
66
67
68[rule.threat.tactic]
69id = "TA0005"
70name = "Defense Evasion"
71reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Creation of Hidden Launch Agent or Daemon
- Attempt to Disable Gatekeeper
- Attempt to Enable the Root Account
- Attempt to Install Root Certificate
- Attempt to Remove File Quarantine Attribute