Sublime Plugin or Application Script Modification

  1[metadata]
  2creation_date = "2020/12/23"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the
 11Sublime application is started.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Sublime Plugin or Application Script Modification"
 18references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"]
 19risk_score = 21
 20rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a"
 21setup = """## Setup
 22
 23This rule requires data coming in from Elastic Defend.
 24
 25### Elastic Defend Integration Setup
 26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 27
 28#### Prerequisite Requirements:
 29- Fleet is required for Elastic Defend.
 30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 31
 32#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 33- Go to the Kibana home page and click "Add integrations".
 34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 35- Click "Add Elastic Defend".
 36- Configure the integration name and optionally add a description.
 37- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 42- Click "Save and Continue".
 43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 45"""
 46severity = "low"
 47tags = [
 48    "Domain: Endpoint",
 49    "OS: macOS",
 50    "Use Case: Threat Detection",
 51    "Tactic: Persistence",
 52    "Data Source: Elastic Defend",
 53    "Resources: Investigation Guide",
 54]
 55timestamp_override = "event.ingested"
 56type = "eql"
 57
 58query = '''
 59file where host.os.type == "macos" and event.type in ("change", "creation") and file.extension : "py" and
 60  file.path :
 61    (
 62      "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py",
 63      "/Applications/Sublime Text.app/Contents/MacOS/sublime.py"
 64    ) and
 65  not process.executable :
 66    (
 67      "/Applications/Sublime Text*.app/Contents/*",
 68      "/usr/local/Cellar/git/*/bin/git",
 69      "/Library/Developer/CommandLineTools/usr/bin/git",
 70      "/usr/libexec/xpcproxy",
 71      "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper"
 72    )
 73'''
 74note = """## Triage and analysis
 75
 76> **Disclaimer**:
 77> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 78
 79### Investigating Sublime Plugin or Application Script Modification
 80
 81Sublime Text, a popular text editor, supports plugins and scripts written in Python to enhance functionality. Adversaries may exploit this by altering these scripts to execute malicious code whenever the application launches, achieving persistence. The detection rule identifies suspicious modifications or creations of Python files in specific Sublime directories on macOS, excluding legitimate processes, to flag potential threats.
 82
 83### Possible investigation steps
 84
 85- Review the file path and name of the modified or created Python file to determine if it aligns with known Sublime Text plugin directories, specifically checking paths like "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py" and "/Applications/Sublime Text.app/Contents/MacOS/sublime.py".
 86- Examine the process that triggered the file change or creation event, ensuring it is not one of the excluded legitimate processes such as those from "/Applications/Sublime Text*.app/Contents/*" or "/usr/local/Cellar/git/*/bin/git".
 87- Analyze the contents of the modified or newly created Python file for any suspicious or unauthorized code, focusing on scripts that may execute commands or connect to external networks.
 88- Check the modification or creation timestamp of the file to correlate with any known user activity or other security events that occurred around the same time.
 89- Investigate the user account associated with the file modification to determine if the activity aligns with their typical behavior or if it might indicate compromised credentials.
 90- Look for any additional indicators of compromise on the host, such as unusual network connections or other file modifications, to assess the broader impact of the potential threat.
 91
 92### False positive analysis
 93
 94- Legitimate Sublime Text updates or installations may trigger the rule by modifying or creating Python files in the specified directories. Users can mitigate this by temporarily disabling the rule during known update periods or by verifying the update source.
 95- Development activities involving Sublime Text plugins or scripts can cause false positives. Developers should consider excluding their specific user paths or processes from the rule to prevent unnecessary alerts.
 96- Automated backup or synchronization tools that modify Sublime Text configuration files might be flagged. Users can exclude these tools' processes from the rule to avoid false positives.
 97- System maintenance or cleanup scripts that interact with Sublime Text directories could trigger alerts. Identifying and excluding these scripts from the rule can help manage false positives.
 98- Version control operations, such as those involving git, may modify files in the monitored directories. Users should ensure that legitimate git processes are included in the exclusion list to prevent false alerts.
 99
100### Response and remediation
101
102- Immediately isolate the affected system from the network to prevent further spread of any potential malicious activity.
103- Terminate any suspicious processes related to Sublime Text that are not part of the legitimate process list provided in the detection rule.
104- Restore the modified or newly created Python files in the specified Sublime directories from a known good backup to ensure no malicious code persists.
105- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection tools to identify and remove any additional malicious payloads.
106- Review system logs and the history of file changes to identify any unauthorized access or modifications, and document findings for further analysis.
107- Escalate the incident to the security operations team for a deeper investigation into potential compromise vectors and to assess the need for broader organizational response.
108- Implement additional monitoring on the affected system and similar environments to detect any recurrence of the threat, ensuring enhanced logging for the specified directories and processes."""
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1554"
115name = "Compromise Host Software Binary"
116reference = "https://attack.mitre.org/techniques/T1554/"
117
118
119[rule.threat.tactic]
120id = "TA0003"
121name = "Persistence"
122reference = "https://attack.mitre.org/tactics/TA0003/"