forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_privacy_controls_tcc_database_modification.toml
61 lines (52 loc) · 2.24 KB
/
defense_evasion_privacy_controls_tcc_database_modification.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
[metadata]
creation_date = "2020/12/23"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/02/22"
[rule]
author = ["Elastic"]
description = """
Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may
indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera,
microphone, address book, and calendar.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privacy Control Bypass via TCCDB Modification"
note = """## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
"""
references = [
"https://applehelpwriter.com/2016/08/29/discovering-how-dropbox-hacks-your-mac/",
"https://github.com/bp88/JSS-Scripts/blob/master/TCC.db%20Modifier.sh",
"https://medium.com/@mattshockl/cve-2020-9934-bypassing-the-os-x-transparency-consent-and-control-tcc-framework-for-4e14806f1de8",
]
risk_score = 47
rule_id = "eea82229-b002-470e-a9e1-00be38b14d32"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name : "sqlite*" and
process.args : "/*/Application Support/com.apple.TCC/TCC.db" and
not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1562"
name = "Impair Defenses"
reference = "https://attack.mitre.org/techniques/T1562/"
[[rule.threat.technique.subtechnique]]
id = "T1562.001"
name = "Disable or Modify Tools"
reference = "https://attack.mitre.org/techniques/T1562/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"