Persistence via Folder Action Script
Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/07"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is
13attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this
14feature to establish persistence by utilizing a malicious script.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Persistence via Folder Action Script"
21references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"]
22risk_score = 47
23rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7"
24severity = "medium"
25tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"]
26type = "eql"
27
28query = '''
29sequence by host.id with maxspan=5s
30 [process where host.os.type == "macos" and event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid
31 [process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and
32 not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt"
33 ] by process.parent.pid
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1037"
41name = "Boot or Logon Initialization Scripts"
42reference = "https://attack.mitre.org/techniques/T1037/"
43
44
45[rule.threat.tactic]
46id = "TA0003"
47name = "Persistence"
48reference = "https://attack.mitre.org/tactics/TA0003/"
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1059"
53name = "Command and Scripting Interpreter"
54reference = "https://attack.mitre.org/techniques/T1059/"
55
56
57[rule.threat.tactic]
58id = "TA0002"
59name = "Execution"
60reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
There are a lot fewer people researching and releasing new Tactics, Techniques, and Procedures (TTPs) for macOS red teaming than there are…
Read More
Related rules
- Creation of Hidden Login Item via Apple Script
- Apple Script Execution followed by Network Connection
- Apple Scripting Execution with Administrator Privileges
- Attempt to Enable the Root Account
- Authorization Plugin Modification