
Summary
This detection rule identifies the execution of macOS built-in commands related to connecting to a Virtual Private Network (VPN). Adversaries often use VPNs for lateral movement within a network, enabling unauthorized access and control over remote systems. The rule leverages the Elastic Query Language (EQL) to monitor processes on macOS, specifically targeting commands such as 'networksetup' with arguments to connect to a PPPoE service, 'scutil' commands to initiate VPN connections, and 'osascript' commands associated with setting VPNs. It operates on event logs from Elastic Monitoring and classifies the detection's risk at a low level, aiding in identifying potentially malicious VPN activity without raising alerts for legitimate user actions. Mitigation actions and investigation steps are provided for incident response teams to isolate devices, analyze process details, and assess user behavior to distinguish between legitimate and malicious use of VPN connections.
Categories
- Endpoint
- macOS
Data Sources
- Process
- Container
ATT&CK Techniques
- T1021
Created: 2020-01-25