[Tuning] MacOS DR Tuning PR (#4546)

* [Tuning] MacOS DR Tuning PR

* tunings

* tuning

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_script_via_automator_workflows.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* fix

---------

Co-authored-by: shashank-elastic <[email protected]>

Author: DefSecSentinel

rules/macos/credential_access_credentials_keychains.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ from = "now-9m"
 index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Access to Keychain Credentials Directories"
+name = "Keychain CommandLine Interaction via Unsigned or Untrusted Process"
 references = [
     "https://objective-see.com/blog/blog_0x25.html",
     "https://securelist.com/calisto-trojan-for-macos/86543/",
@@ -60,47 +60,18 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "macos" and event.type in ("start", "process_started") and
-  process.args :
-    (
-      "/Users/*/Library/Keychains/*",
-      "/Library/Keychains/*",
-      "/Network/Library/Keychains/*",
-      "System.keychain",
-      "login.keychain-db",
-      "login.keychain"
-    ) and
-    not process.args : ("find-certificate",
-                        "add-trusted-cert",
-                        "set-keychain-settings",
-                        "delete-certificate",
-                        "/Users/*/Library/Keychains/openvpn.keychain-db",
-                        "show-keychain-info",
-                        "lock-keychain",
-                        "set-key-partition-list",
-                        "import",
-                        "find-identity") and
-    not process.parent.executable :
-      (
-        "/Applications/OpenVPN Connect/OpenVPN Connect.app/Contents/MacOS/OpenVPN Connect",
-        "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon_enterprise.app/Contents/MacOS/wdavdaemon_enterprise",
-        "/opt/jc/bin/jumpcloud-agent"
-      ) and
-    not process.executable : ("/opt/jc/bin/jumpcloud-agent", "/usr/bin/basename") and
-    not process.Ext.effective_parent.executable : ("/opt/rapid7/ir_agent/ir_agent",
-                                                   "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint",
-                                                   "/Applications/QualysCloudAgent.app/Contents/MacOS/qualys-cloud-agent",
-                                                   "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon",
-                                                   "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService",
-                                                   "/usr/local/jamf/bin/jamf",
-                                                   "/Applications/Microsoft Defender.app/Contents/MacOS/wdavdaemon")
+process where host.os.type == "macos" and event.type in ("start", "process_started") and event.action == "exec" and
+  process.args like ("/Users/*/Library/Keychains/*", "/Library/Keychains/*", "login.keychain-db", "login.keychain") and 
+  ((process.code_signature.trusted == false or process.code_signature.exists == false) or 
+   (process.name in ("bash", "sh", "zsh", "osascript", "cat", "echo", "cp") and 
+   (process.parent.code_signature.trusted == false or process.parent.code_signature.exists == false)))
 '''
 note = """## Triage and analysis
 
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Access to Keychain Credentials Directories
+### Investigating Keychain CommandLine Interaction via Unsigned or Untrusted Process
 
 macOS keychains securely store user credentials, such as passwords and certificates, essential for system and application authentication. Adversaries may target these directories to extract sensitive information, potentially compromising user accounts and system integrity. The detection rule identifies suspicious access attempts by monitoring process activities related to keychain directories, excluding known legitimate processes and actions, thus highlighting potential unauthorized access attempts.
 

rules/macos/credential_access_dumping_hashes_bi_cmds.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/25"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ lateral movement.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Dumping Account Hashes via Built-In Commands"
 references = [
@@ -57,11 +57,11 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and host.os.type:macos and event.type:start and
- process.name:(defaults or mkpassdb) and process.args:(ShadowHashData or "-dump")
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
+ process.name in ("defaults", "mkpassdb") and process.args like~ ("ShadowHashData", "-dump")
 '''
 note = """## Triage and analysis
 

rules/macos/credential_access_dumping_keychain_security.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -57,7 +57,8 @@ timestamp_override = "event.ingested"
 type = "eql"
 
 query = '''
-process where host.os.type == "macos" and event.type in ("start", "process_started") and process.args : "dump-keychain" and process.args : "-d"
+process where host.os.type == "macos" and event.type in ("start", "process_started") and 
+ process.args like~ "dump-keychain" and process.args == "-d"
 '''
 note = """## Triage and analysis
 

rules/macos/credential_access_kerberosdump_kcc.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -12,7 +12,7 @@ may attempt to dump credential material in the form of tickets that can be lever
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "Kerberos Cached Credentials Dumping"
 references = [
@@ -56,12 +56,12 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and host.os.type:macos and event.type:(start or process_started) and
-  process.name:kcc and
-  process.args:copy_cred_cache
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
+  process.name == "kcc" and
+  process.args like~ "copy_cred_cache"
 '''
 note = """## Triage and analysis
 

rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/06"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -64,10 +64,10 @@ type = "eql"
 
 query = '''
 process where host.os.type == "macos" and event.action == "exec" and
- process.name : "security" and
- process.args : ("-wa", "-ga") and process.args : ("find-generic-password", "find-internet-password") and
+ process.name == "security" and
+ process.args like ("-wa", "-ga") and process.args like~ ("find-generic-password", "find-internet-password") and
  process.command_line : ("*Chrome*", "*Chromium*", "*Opera*", "*Safari*", "*Brave*", "*Microsoft Edge*", "*Firefox*") and
- not process.parent.executable : "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*"
+ not process.parent.executable like "/Applications/Keeper Password Manager.app/Contents/Frameworks/Keeper Password Manager Helper*/Contents/MacOS/Keeper Password Manager Helper*"
 '''
 note = """## Triage and analysis
 

rules/macos/credential_access_mitm_localhost_webproxy.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ hijack web browser traffic for credential access via traffic sniffing or redirec
 false_positives = ["Legitimate WebProxy Settings Modification"]
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "WebProxy Settings Modification"
 references = [
@@ -57,15 +57,12 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and host.os.type:macos and event.type:start and
- process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and
- not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or
-                                  "/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or
-                                  "/usr/libexec/xpcproxy") and
- not process.Ext.effective_parent.executable : ("/Applications/Proxyman.app/Contents/MacOS/Proxyman" or "/Applications/Incoggo.app/Contents/MacOS/Incoggo.app")
+process where host.os.type == "macos" and event.type in ("start", "process_started") and event.action == "exec" and
+ process.name == "networksetup" and process.args like~ ("-setwebproxy", "-setsecurewebproxy", "-setautoproxyurl") and
+ (process.parent.name like~ ("osascript", "bash", "sh", "zsh", "Terminal", "Python*") or (process.parent.code_signature.exists == false or process.parent.code_signature.trusted == false))
 '''
 note = """## Triage and analysis
 

rules/macos/credential_access_promt_for_pwd_via_osascript.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/11/16"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/02/04"
+updated_date = "2025/04/21"
 
 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ from = "now-9m"
 index = ["logs-endpoint.events.process*"]
 language = "eql"
 license = "Elastic License v2"
-name = "Prompt for Credentials with OSASCRIPT"
+name = "Prompt for Credentials with Osascript"
 references = [
     "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/prompt.py",
     "https://ss64.com/osx/osascript.html",
@@ -60,12 +60,14 @@ type = "eql"
 
 query = '''
 process where event.action == "exec" and host.os.type == "macos" and
- process.name : "osascript" and process.args : "-e" and process.command_line : ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*") and
- not (process.parent.executable : "/usr/bin/sudo" and process.command_line : "*Encryption Key Escrow*") and
- not (process.command_line : "*-e with timeout of 3600 seconds*" and user.id == "0" and process.parent.executable : "/bin/bash") and
- not process.Ext.effective_parent.executable : ("/usr/local/jamf/*",
+ process.name == "osascript" and process.args == "-e" and process.command_line like~ ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*", "*pass*display*dialog*") and
+ not (process.parent.executable == "/usr/bin/sudo" and process.command_line like~ "*Encryption Key Escrow*") and
+ not (process.command_line like~ "*-e with timeout of 3600 seconds*" and user.id like "0" and process.parent.executable == "/bin/bash") and
+ not process.Ext.effective_parent.executable like~
+                                               ("/usr/local/jamf/*",
+                                                "/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon",
+                                                "/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM",
                                                 "/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements",
-                                                "/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal",
                                                 "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon",
                                                 "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService")
 '''

rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/04"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -57,15 +57,15 @@ type = "eql"
 
 query = '''
 file where event.action == "open" and host.os.type == "macos" and process.executable != null and
- file.name : ("cookies.sqlite",
-              "key?.db",
-              "logins.json",
-              "Cookies",
-              "Cookies.binarycookies",
-              "Login Data") and
- ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name : "osascript") and
- not process.code_signature.signing_id : "org.mozilla.firefox" and
- not Effective_process.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint"
+ file.name like~ ("cookies.sqlite",
+                  "key?.db",
+                  "logins.json",
+                  "Cookies",
+                  "Cookies.binarycookies",
+                  "Login Data") and
+ ((process.code_signature.trusted == false or process.code_signature.exists == false) or process.name == "osascript") and
+ not process.code_signature.signing_id == "org.mozilla.firefox" and
+ not Effective_process.executable like "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint"
 '''
 note = """## Triage and analysis
 

rules/macos/credential_access_systemkey_dumping.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/01/07"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ keychain storage data from a system to acquire credentials.
 """
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "SystemKey Access via Command Line"
 references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"]
@@ -54,12 +54,12 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and host.os.type:macos and event.type:(start or process_started) and
-  process.args:("/private/var/db/SystemKey" or "/var/db/SystemKey") and
-  not process.Ext.effective_parent.executable : "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint"
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
+  process.args in ("/private/var/db/SystemKey", "/var/db/SystemKey") and
+  not process.Ext.effective_parent.executable like "/Library/Elastic/Endpoint/elastic-endpoint.app/Contents/MacOS/elastic-endpoint"
 '''
 note = """## Triage and analysis
 

rules/macos/defense_evasion_apple_softupdates_modification.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/01/15"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/03/18"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ an attempt to disable security updates.
 false_positives = ["Authorized SoftwareUpdate Settings Changes"]
 from = "now-9m"
 index = ["logs-endpoint.events.*"]
-language = "kuery"
+language = "eql"
 license = "Elastic License v2"
 name = "SoftwareUpdate Preferences Modification"
 references = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"]
@@ -54,12 +54,12 @@ tags = [
     "Resources: Investigation Guide",
 ]
 timestamp_override = "event.ingested"
-type = "query"
+type = "eql"
 
 query = '''
-event.category:process and host.os.type:macos and event.type:(start or process_started) and
- process.name:defaults and
- process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true))
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
+ process.name == "defaults" and
+ process.args like "write" and process.args like "-bool" and process.args like~ ("com.apple.SoftwareUpdate", "/Library/Preferences/com.apple.SoftwareUpdate.plist") and not process.args like ("TRUE", "true")
 '''
 note = """## Triage and analysis