Potential Persistence via Periodic Tasks

  1[metadata]
  2creation_date = "2021/01/21"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic
 11tasks to execute malicious code or maintain persistence.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "Potential Persistence via Periodic Tasks"
 18references = [
 19    "https://opensource.apple.com/source/crontabs/crontabs-13/private/etc/defaults/periodic.conf.auto.html",
 20    "https://www.oreilly.com/library/view/mac-os-x/0596003706/re328.html",
 21    "https://github.com/D00MFist/PersistentJXA/blob/master/PeriodicPersist.js",
 22]
 23risk_score = 21
 24rule_id = "48ec9452-e1fd-4513-a376-10a1a26d2c83"
 25setup = """## Setup
 26
 27This rule requires data coming in from Elastic Defend.
 28
 29### Elastic Defend Integration Setup
 30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49"""
 50severity = "low"
 51tags = [
 52    "Domain: Endpoint",
 53    "OS: macOS",
 54    "Use Case: Threat Detection",
 55    "Tactic: Persistence",
 56    "Data Source: Elastic Defend",
 57    "Resources: Investigation Guide",
 58]
 59timestamp_override = "event.ingested"
 60type = "query"
 61
 62query = '''
 63event.category:file and host.os.type:macos and not event.type:"deletion" and
 64 file.path:(/private/etc/periodic/* or /private/etc/defaults/periodic.conf or /private/etc/periodic.conf)
 65'''
 66note = """## Triage and analysis
 67
 68> **Disclaimer**:
 69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 70
 71### Investigating Potential Persistence via Periodic Tasks
 72
 73Periodic tasks in macOS are scheduled operations that automate system maintenance and other routine activities. Adversaries may exploit these tasks to execute unauthorized code or maintain persistence by altering task configurations. The detection rule identifies suspicious file activities related to periodic task configurations, excluding deletions, to flag potential misuse. This helps in early detection of persistence mechanisms employed by attackers.
 74
 75### Possible investigation steps
 76
 77- Review the file path specified in the alert to determine which configuration file was created or modified. Focus on paths like /private/etc/periodic/*, /private/etc/defaults/periodic.conf, or /private/etc/periodic.conf.
 78- Examine the contents of the modified or newly created configuration file to identify any unauthorized or suspicious entries that could indicate malicious activity.
 79- Check the timestamp of the file modification or creation to correlate with any known suspicious activities or other alerts in the same timeframe.
 80- Investigate the user account and process responsible for the file modification to determine if it aligns with expected behavior or if it indicates potential compromise.
 81- Look for any related events in the system logs that might provide additional context or evidence of unauthorized access or persistence attempts.
 82- Assess the risk and impact of the changes by determining if the modified periodic task could execute malicious code or provide persistence for an attacker.
 83
 84### False positive analysis
 85
 86- Routine system updates or maintenance scripts may trigger alerts when they modify periodic task configurations. Users can create exceptions for known update processes by identifying their specific file paths or process names.
 87- Administrative tools or scripts used by IT departments for legitimate system management might alter periodic task settings. To mitigate this, users should whitelist these tools by verifying their source and ensuring they are part of authorized IT operations.
 88- Custom user scripts for personal automation tasks could be flagged if they modify periodic task configurations. Users should document and exclude these scripts by adding them to an exception list, ensuring they are reviewed and approved for legitimate use.
 89- Security software or monitoring tools that adjust system settings for protection purposes might inadvertently trigger the rule. Users should verify these tools' activities and exclude them if they are confirmed to be part of the security infrastructure.
 90
 91### Response and remediation
 92
 93- Isolate the affected macOS system from the network to prevent potential lateral movement or further execution of unauthorized code.
 94- Review the identified periodic task configuration files for unauthorized modifications or additions. Restore any altered files to their original state using known good backups.
 95- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious code that may have been executed through the periodic tasks.
 96- Check for any additional persistence mechanisms that may have been established by the adversary, such as other scheduled tasks or startup items, and remove them.
 97- Monitor the system and network for any signs of continued unauthorized activity or attempts to re-establish persistence.
 98- Escalate the incident to the security operations team for further investigation and to determine if other systems may be affected.
 99- Implement enhanced monitoring and alerting for changes to periodic task configurations to quickly detect similar threats in the future."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1053"
106name = "Scheduled Task/Job"
107reference = "https://attack.mitre.org/techniques/T1053/"
108[[rule.threat.technique.subtechnique]]
109id = "T1053.003"
110name = "Cron"
111reference = "https://attack.mitre.org/techniques/T1053/003/"
112
113
114
115[rule.threat.tactic]
116id = "TA0003"
117name = "Persistence"
118reference = "https://attack.mitre.org/tactics/TA0003/"