Persistence via Login or Logout Hook

  1[metadata]
  2creation_date = "2020/12/07"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/02/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this
 11capability to establish persistence in an environment by inserting code to be executed at login or logout.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Persistence via Login or Logout Hook"
 18references = [
 19    "https://www.virusbulletin.com/uploads/pdf/conference_slides/2014/Wardle-VB2014.pdf",
 20    "https://www.manpagez.com/man/1/defaults/",
 21]
 22risk_score = 47
 23rule_id = "5d0265bf-dea9-41a9-92ad-48a8dcd05080"
 24setup = """## Setup
 25
 26This rule requires data coming in from Elastic Defend.
 27
 28### Elastic Defend Integration Setup
 29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 30
 31#### Prerequisite Requirements:
 32- Fleet is required for Elastic Defend.
 33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 34
 35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 36- Go to the Kibana home page and click "Add integrations".
 37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 38- Click "Add Elastic Defend".
 39- Configure the integration name and optionally add a description.
 40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 45- Click "Save and Continue".
 46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 48"""
 49severity = "medium"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: macOS",
 53    "Use Case: Threat Detection",
 54    "Tactic: Persistence",
 55    "Data Source: Elastic Defend",
 56    "Resources: Investigation Guide",
 57]
 58timestamp_override = "event.ingested"
 59type = "eql"
 60
 61query = '''
 62process where host.os.type == "macos" and event.type == "start" and
 63 process.name == "defaults" and process.args == "write" and process.args : ("LoginHook", "LogoutHook") and
 64 not process.args :
 65       (
 66         "Support/JAMF/ManagementFrameworkScripts/logouthook.sh",
 67         "Support/JAMF/ManagementFrameworkScripts/loginhook.sh",
 68         "/Library/Application Support/JAMF/ManagementFrameworkScripts/logouthook.sh",
 69         "/Library/Application Support/JAMF/ManagementFrameworkScripts/loginhook.sh"
 70       )
 71'''
 72note = """## Triage and analysis
 73
 74> **Disclaimer**:
 75> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 76
 77### Investigating Persistence via Login or Logout Hook
 78
 79In macOS environments, login and logout hooks are scripts executed automatically during user login or logout, often used for system management tasks. Adversaries exploit this by inserting malicious scripts to maintain persistence. The detection rule identifies suspicious use of the `defaults` command to set these hooks, excluding known legitimate scripts, thus highlighting potential unauthorized persistence attempts.
 80
 81### Possible investigation steps
 82
 83- Review the process execution details to confirm the use of the "defaults" command with "write" arguments targeting "LoginHook" or "LogoutHook".
 84- Check the process execution history for the user account associated with the alert to identify any unusual or unauthorized activity.
 85- Investigate the source and content of the script specified in the "defaults" command to determine if it contains malicious or unauthorized code.
 86- Cross-reference the script path against known legitimate scripts to ensure it is not mistakenly flagged.
 87- Analyze recent system changes or installations that might have introduced the suspicious script or process.
 88- Review system logs around the time of the alert for any additional indicators of compromise or related suspicious activity.
 89
 90### False positive analysis
 91
 92- Known false positives include legitimate scripts used by system management tools like JAMF, which are often set as login or logout hooks.
 93- To handle these, users can create exceptions for known legitimate scripts by adding their paths to the exclusion list in the detection rule.
 94- Regularly review and update the exclusion list to ensure it includes all authorized scripts used in your environment.
 95- Monitor for any changes in the behavior of these scripts to ensure they remain non-threatening and authorized.
 96- Collaborate with IT and security teams to identify any new legitimate scripts that should be excluded from detection.
 97
 98### Response and remediation
 99
100- Immediately isolate the affected macOS system from the network to prevent potential lateral movement or data exfiltration by the adversary.
101- Terminate any suspicious processes associated with the unauthorized login or logout hooks to halt any ongoing malicious activity.
102- Remove the unauthorized login or logout hooks by using the `defaults delete` command to ensure the persistence mechanism is dismantled.
103- Conduct a thorough review of system logs and recent changes to identify any additional unauthorized modifications or indicators of compromise.
104- Restore any affected system files or configurations from a known good backup to ensure system integrity and functionality.
105- Escalate the incident to the security operations team for further analysis and to determine if additional systems are affected.
106- Implement enhanced monitoring and alerting for similar unauthorized use of the `defaults` command to improve detection and response capabilities."""
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1037"
113name = "Boot or Logon Initialization Scripts"
114reference = "https://attack.mitre.org/techniques/T1037/"
115
116
117[rule.threat.tactic]
118id = "TA0003"
119name = "Persistence"
120reference = "https://attack.mitre.org/tactics/TA0003/"