Execution with Explicit Credentials via Scripting

calendar Sep 5, 2023 · Domain: Endpoint OS: macOS Use Case: Threat Detection Tactic: Execution Tactic: Privilege Escalation Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/07"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use
13AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should
14not be run by itself, as this is a sign of execution with explicit logon credentials.
15"""
16from = "now-9m"
17index = ["auditbeat-*", "logs-endpoint.events.*"]
18language = "kuery"
19license = "Elastic License v2"
20name = "Execution with Explicit Credentials via Scripting"
21references = [
22    "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
23    "https://www.manpagez.com/man/8/security_authtrampoline/",
24]
25risk_score = 47
26rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1"
27severity = "medium"
28tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33event.category:process and host.os.type:macos and event.type:(start or process_started) and
34 process.name:"security_authtrampoline" and
35 process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)
36'''
37
38
39[[rule.threat]]
40framework = "MITRE ATT&CK"
41[[rule.threat.technique]]
42id = "T1078"
43name = "Valid Accounts"
44reference = "https://attack.mitre.org/techniques/T1078/"
45
46[[rule.threat.technique]]
47id = "T1548"
48name = "Abuse Elevation Control Mechanism"
49reference = "https://attack.mitre.org/techniques/T1548/"
50[[rule.threat.technique.subtechnique]]
51id = "T1548.004"
52name = "Elevated Execution with Prompt"
53reference = "https://attack.mitre.org/techniques/T1548/004/"
54
55
56
57[rule.threat.tactic]
58id = "TA0004"
59name = "Privilege Escalation"
60reference = "https://attack.mitre.org/tactics/TA0004/"
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1059"
65name = "Command and Scripting Interpreter"
66reference = "https://attack.mitre.org/techniques/T1059/"
67
68
69[rule.threat.tactic]
70id = "TA0002"
71name = "Execution"
72reference = "https://attack.mitre.org/tactics/TA0002/"

References

  • £hª×ÓH¶ÖÛ†Ud`Nâ;áU�Ô ¹ð§VÔ5χš£¬ƒöéàÌŒWðÄ+ãý¥¿ãÿiÝ&ãRør—¨ÏýŸv—2�Î#ÚÈN=‹)úf�™:gÂ�jº•ªÛjW×P4V¶¶Í¾GvRTr£žrç@ŽgáwŒnto�—ˆµI翸µš]†âVrÌJª)$ç˜~µKà ×ük¢Câ/xãS²¾¾_´[[ÚͶ8ýÓ´0#\æ²<¤\k_²þµkd...


    Read More

  • man page security_authtrampoline section 8

    man pages By Section Alphabetically Other versions of security_authtrampoline


    Read More

Related rules

to-top