Execution with Explicit Credentials via Scripting

calendar Jan 22, 2025 · Domain: Endpoint OS: macOS Use Case: Threat Detection Tactic: Execution Tactic: Privilege Escalation Data Source: Elastic Defend Resources: Investigation Guide  ·
Share on: linkedin copy

Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/12/07"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use
 11AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should
 12not be run by itself, as this is a sign of execution with explicit logon credentials.
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "Execution with Explicit Credentials via Scripting"
 19references = [
 20    "https://objectivebythesea.com/v2/talks/OBTS_v2_Thomas.pdf",
 21    "https://www.manpagez.com/man/8/security_authtrampoline/",
 22]
 23risk_score = 47
 24rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1"
 25setup = """## Setup
 26
 27This rule requires data coming in from Elastic Defend.
 28
 29### Elastic Defend Integration Setup
 30Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 31
 32#### Prerequisite Requirements:
 33- Fleet is required for Elastic Defend.
 34- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 35
 36#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 37- Go to the Kibana home page and click "Add integrations".
 38- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 39- Click "Add Elastic Defend".
 40- Configure the integration name and optionally add a description.
 41- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 42- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 43- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 44- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 45For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 46- Click "Save and Continue".
 47- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 48For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 49"""
 50severity = "medium"
 51tags = [
 52    "Domain: Endpoint",
 53    "OS: macOS",
 54    "Use Case: Threat Detection",
 55    "Tactic: Execution",
 56    "Tactic: Privilege Escalation",
 57    "Data Source: Elastic Defend",
 58    "Resources: Investigation Guide",
 59]
 60timestamp_override = "event.ingested"
 61type = "query"
 62
 63query = '''
 64event.category:process and host.os.type:macos and event.type:(start or process_started) and
 65 process.name:"security_authtrampoline" and
 66 process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)
 67'''
 68note = """## Triage and analysis
 69
 70> **Disclaimer**:
 71> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 72
 73### Investigating Execution with Explicit Credentials via Scripting
 74
 75In macOS environments, the `security_authtrampoline` process is used to execute programs with elevated privileges via scripting interpreters. Adversaries may exploit this by using explicit credentials to run unauthorized scripts, gaining root access. The detection rule identifies such activities by monitoring the initiation of `security_authtrampoline` through common scripting languages, flagging potential privilege escalation attempts.
 76
 77### Possible investigation steps
 78
 79- Review the process details to confirm the parent process name matches one of the specified scripting interpreters (e.g., osascript, bash, python) to verify the context of the alert.
 80- Examine the command line arguments of the security_authtrampoline process to identify the script or program being executed and assess its legitimacy.
 81- Investigate the user account associated with the process to determine if the credentials used are valid and expected for executing such scripts.
 82- Check the historical activity of the involved user account and associated processes to identify any patterns of unusual or unauthorized behavior.
 83- Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities.
 84- Assess the system for any signs of compromise or unauthorized changes, such as unexpected new files, altered configurations, or additional unauthorized processes running.
 85
 86### False positive analysis
 87
 88- Legitimate administrative tasks using scripting languages may trigger this rule. Users should review the context of the script execution to determine if it aligns with expected administrative activities.
 89- Automated scripts or scheduled tasks that require elevated privileges might be flagged. Consider creating exceptions for known scripts by specifying their hash or path in the monitoring system.
 90- Development or testing environments where developers frequently use scripting languages to test applications with elevated privileges can cause false positives. Implement a policy to exclude these environments from the rule or adjust the risk score to reflect the lower threat level.
 91- Security tools or software updates that use scripting interpreters to perform legitimate actions with elevated privileges may be mistakenly identified. Verify the source and purpose of such processes and whitelist them if they are deemed safe.
 92- User-initiated scripts for personal productivity that require elevated access could be misinterpreted as threats. Educate users on safe scripting practices and establish a process for them to report and document legitimate use cases for exclusion.
 93
 94### Response and remediation
 95
 96- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.
 97- Terminate the `security_authtrampoline` process if it is still running to stop any ongoing unauthorized activities.
 98- Review and revoke any compromised credentials used in the execution of the unauthorized script to prevent further misuse.
 99- Conduct a thorough examination of the system for any additional unauthorized scripts or malware that may have been deployed using the compromised credentials.
100- Restore the system from a known good backup if any unauthorized changes or persistent threats are detected.
101- Implement stricter access controls and monitoring for the use of scripting interpreters and the `security_authtrampoline` process to prevent similar privilege escalation attempts.
102- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network."""
103
104
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1078"
109name = "Valid Accounts"
110reference = "https://attack.mitre.org/techniques/T1078/"
111
112[[rule.threat.technique]]
113id = "T1548"
114name = "Abuse Elevation Control Mechanism"
115reference = "https://attack.mitre.org/techniques/T1548/"
116[[rule.threat.technique.subtechnique]]
117id = "T1548.004"
118name = "Elevated Execution with Prompt"
119reference = "https://attack.mitre.org/techniques/T1548/004/"
120
121
122
123[rule.threat.tactic]
124id = "TA0004"
125name = "Privilege Escalation"
126reference = "https://attack.mitre.org/tactics/TA0004/"
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129[[rule.threat.technique]]
130id = "T1059"
131name = "Command and Scripting Interpreter"
132reference = "https://attack.mitre.org/techniques/T1059/"
133
134
135[rule.threat.tactic]
136id = "TA0002"
137name = "Execution"
138reference = "https://attack.mitre.org/tactics/TA0002/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Execution with Explicit Credentials via Scripting

In macOS environments, the security_authtrampoline process is used to execute programs with elevated privileges via scripting interpreters. Adversaries may exploit this by using explicit credentials to run unauthorized scripts, gaining root access. The detection rule identifies such activities by monitoring the initiation of security_authtrampoline through common scripting languages, flagging potential privilege escalation attempts.

Possible investigation steps

  • Review the process details to confirm the parent process name matches one of the specified scripting interpreters (e.g., osascript, bash, python) to verify the context of the alert.
  • Examine the command line arguments of the security_authtrampoline process to identify the script or program being executed and assess its legitimacy.
  • Investigate the user account associated with the process to determine if the credentials used are valid and expected for executing such scripts.
  • Check the historical activity of the involved user account and associated processes to identify any patterns of unusual or unauthorized behavior.
  • Correlate the alert with other security events or logs from the same host to identify any additional indicators of compromise or related suspicious activities.
  • Assess the system for any signs of compromise or unauthorized changes, such as unexpected new files, altered configurations, or additional unauthorized processes running.

False positive analysis

  • Legitimate administrative tasks using scripting languages may trigger this rule. Users should review the context of the script execution to determine if it aligns with expected administrative activities.
  • Automated scripts or scheduled tasks that require elevated privileges might be flagged. Consider creating exceptions for known scripts by specifying their hash or path in the monitoring system.
  • Development or testing environments where developers frequently use scripting languages to test applications with elevated privileges can cause false positives. Implement a policy to exclude these environments from the rule or adjust the risk score to reflect the lower threat level.
  • Security tools or software updates that use scripting interpreters to perform legitimate actions with elevated privileges may be mistakenly identified. Verify the source and purpose of such processes and whitelist them if they are deemed safe.
  • User-initiated scripts for personal productivity that require elevated access could be misinterpreted as threats. Educate users on safe scripting practices and establish a process for them to report and document legitimate use cases for exclusion.

Response and remediation

  • Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.
  • Terminate the security_authtrampoline process if it is still running to stop any ongoing unauthorized activities.
  • Review and revoke any compromised credentials used in the execution of the unauthorized script to prevent further misuse.
  • Conduct a thorough examination of the system for any additional unauthorized scripts or malware that may have been deployed using the compromised credentials.
  • Restore the system from a known good backup if any unauthorized changes or persistent threats are detected.
  • Implement stricter access controls and monitoring for the use of scripting interpreters and the security_authtrampoline process to prevent similar privilege escalation attempts.
  • Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.

References

  • £hª×ÓH¶ÖÛ†Ud`Nâ;áU�Ô ¹ð§VÔ5χš£¬ƒöéàÌŒWðÄ+ãý¥¿ãÿiÝ&ãRør—¨ÏýŸv—2�Î#ÚÈN=‹)úf�™:gÂ�jº•ªÛjW×P4V¶¶Í¾GvRTr£žrç@ŽgáwŒnto�—ˆµI翸µš]†âVrÌJª)$ç˜~µKà ×ük¢Câ/xãS²¾¾_´[[ÚͶ8ýÓ´0#\æ²<¤\k_²þµkd...


    Read More

  • man page security_authtrampoline section 8

    man pages By Section Alphabetically Other versions of security_authtrampoline


    Read More

Related rules

to-top