Merge pull request #1253 from oscd-initiative/oscd_art_macos_task_60_T1562.001

[OSCD] ART sync, test T1562.001: Disable or Modify Tools (macOS)
2024-11-07 01:45:21 +00:00 · 2020-12-30 22:39:15 +01:00 · 2020-12-30 22:39:15 +01:00 · 5de952d488
commit 5de952d488
parent e223d34a6e e95749e190
1 changed files with 42 additions and 0 deletions
--- a/rules/linux/macos_disable_security_tools.yml
+++ b/rules/linux/macos_disable_security_tools.yml
@ -0,0 +1,42 @@
+title: Disable Security Tools
+id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
+status: experimental
+description: Detects disabling security tools
+author: Daniil Yugoslavskiy, oscd.community
+date: 2020/10/19
+references:
+  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+logsource:
+  category: process_creation
+  product: macos
+detection:
+  launchctl_unload:
+    ProcessName: '/bin/launchctl'
+    CommandLine|contains: 'unload'
+  security_plists:
+    CommandLine|contains:
+      - 'com.objective-see.lulu.plist'                     # Objective-See firewall management utility
+      - 'com.objective-see.blockblock.plist'               # Objective-See persistence locations watcher/blocker
+      - 'com.google.santad.plist'                          # google santa
+      - 'com.carbonblack.defense.daemon.plist'             # carbon black
+      - 'com.carbonblack.daemon.plist'                     # carbon black
+      - 'at.obdev.littlesnitchd.plist'                     # Objective Development Software firewall management utility
+      - 'com.tenablesecurity.nessusagent.plist'            # Tenable Nessus 
+      - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
+      - 'com.crowdstrike.falcond.plist'                    # Crowdstrike Falcon
+      - 'com.crowdstrike.userdaemon.plist'                 # Crowdstrike Falcon
+      - 'osquery'                                          # facebook osquery
+      - 'filebeat'                                         # elastic log file shipper
+      - 'auditbeat'                                        # elastic auditing agent/log shipper
+      - 'packetbeat'                                       # elastic network logger/shipper
+      - 'td-agent'                                         # fluentd log shipper
+  disable_gatekeeper:
+    ProcessName: '/usr/sbin/spctl'
+    CommandLine|contains: 'disable'
+  condition: (launchctl_unload and security_plists) or disable_gatekeeper
+falsepositives:
+  - Legitimate activities
+level: low
+tags:
+  - attack.defense_evasion
+  - attack.t1562.001