Suspicious Calendar File Modification
Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/01/19"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar
13notification procedure to execute a malicious program at a recurring interval to establish persistence.
14"""
15false_positives = ["Trusted applications for managing calendars and reminders."]
16from = "now-9m"
17index = ["logs-endpoint.events.*", "auditbeat-*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Suspicious Calendar File Modification"
21references = [
22 "https://labs.f-secure.com/blog/operationalising-calendar-alerts-persistence-on-macos",
23 "https://github.com/FSecureLABS/CalendarPersist",
24 "https://github.com/D00MFist/PersistentJXA/blob/master/CalendarPersist.js",
25]
26risk_score = 47
27rule_id = "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51"
28severity = "medium"
29tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
30timestamp_override = "event.ingested"
31type = "query"
32
33query = '''
34event.category:file and host.os.type:macos and event.action:modification and
35 file.path:/Users/*/Library/Calendars/*.calendar/Events/*.ics and
36 process.executable:
37 (* and not
38 (
39 /System/Library/* or
40 /System/Applications/Calendar.app/Contents/MacOS/* or
41 /System/Applications/Mail.app/Contents/MacOS/Mail or
42 /usr/libexec/xpcproxy or
43 /sbin/launchd or
44 /Applications/*
45 )
46 )
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1546"
54name = "Event Triggered Execution"
55reference = "https://attack.mitre.org/techniques/T1546/"
56
57
58[rule.threat.tactic]
59id = "TA0003"
60name = "Persistence"
61reference = "https://attack.mitre.org/tactics/TA0003/"
References
-
Throughout the following blog post we provide insights into calendar alerts, a method of persisting on macOS. Building on the work of Andy Grant over at NCC, this post takes deeper look into weaponising the feature for use in offensive operations.
Read More -
JXA script to allow programmatic persistence via macOS Calendar.app alerts. - GitHub - FSecureLABS/CalendarPersist: JXA script to allow programmatic persistence via macOS Calendar.app alerts.
Read More -
Collection of macOS persistence methods and miscellaneous tools in JXA - D00MFist/PersistentJXA
Read More
Related rules
- Attempt to Enable the Root Account
- Authorization Plugin Modification
- Bash Shell Profile Modification
- Creation of Hidden Launch Agent or Daemon
- Creation of Hidden Login Item via Apple Script