forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_tcc_bypass_mounted_apfs_access.toml
44 lines (37 loc) · 1.35 KB
/
defense_evasion_tcc_bypass_mounted_apfs_access.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
[metadata]
creation_date = "2020/01/04"
maturity = "production"
updated_date = "2021/03/03"
[rule]
author = ["Elastic"]
description = """
Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots
as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file
system, including all user data and files protected by Apple’s privacy framework (TCC).
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "TCC Bypass via Mounted APFS Snapshot Access"
references = ["https://theevilbit.github.io/posts/cve_2020_9771/"]
risk_score = 73
rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6"
severity = "high"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category : process and event.type : (start or process_started) and process.name : mount_apfs and
process.args : (/System/Volumes/Data and noowners)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1006"
name = "Direct Volume Access"
reference = "https://attack.mitre.org/techniques/T1006/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"