
Modification of Environment Variable via Unsigned or Untrusted Parent
Elastic Detection Rules
View SourceSummary
This detection rule identifies malicious alterations to environment variables on macOS systems using the `launchctl` command. Adversaries may employ this tactic to circumvent security mechanisms by modifying environment variables that can enable the execution of unauthorized payloads. The rule specifically looks for configurations where the `launchctl` process is initiated by an untrusted or unsigned parent, which could indicate a potential security threat. The query filters for instances where the `setenv` command is utilized in conjunction with specific flags that signal suspicious behavior. By tracking these alterations, security teams can respond to potential threats and prevent exploitation of environment variable manipulation.
Categories
- Endpoint
- macOS
Data Sources
- Process
- Command
- Application Log
ATT&CK Techniques
- T1574
- T1574.007
Created: 2021-01-14