heroui logo

Authorization Plugin Modification

Elastic Detection Rules

View Source
Summary
This rule, authored by Elastic, focuses on detecting unauthorized modifications to authorization plugins on macOS systems. Authorization plugins enhance the authentication capabilities of the OS, allowing for features such as third-party multi-factor authentication. However, malicious actors can exploit these plugins to establish persistence or capture clear-text credentials during the user login process. The detection mechanism utilizes a query that filters for file modifications in specific directories related to security plugins while excluding known legitimate ones, thus aiming to identify suspicious activities that may indicate credential theft or persistence tactics. For setup, this rule requires data from the Elastic Defend integration with Elastic Agent. Administrators are instructed to ensure proper configuration and integration into the Fleet server environment to enable effective monitoring of macOS systems. The implementation of this rule also involves reviewing processes and file paths to discern between legitimate updates and potential threats, with a focus on ensuring that malicious modifications are detected and addressed swiftly.
Categories
  • Endpoint
  • macOS
Data Sources
  • File
  • Application Log
  • Process
ATT&CK Techniques
  • T1547
  • T1547.002
Created: 2021-01-13