New MacOS detections T1016 #3672
Conversation
|
Testing is failing - Testing environment does not currently have the osquery TA for this dataset, a new release hasn't been cut on that repo, and the app itself is archived from Splunkbase (don't think it'll be unarchived either due to changes in Splunk Works) - We'll need an actual release package of that TA and getting it into the config before testing can pass. |
|
@jwindley : You think we can get this TA unarchived by the Splunkbase folks or maybe we can consider shipping these detections as experimental and have detailed info in the how to implement section due to lack of supported TA? |
|
Hi @patel-bhavin . Regarding the TA - I have made updates to https://github.com/splunk/TA-osquery to bring it up-to-date. Not sure the process for getting this latest version on to Splunkbase. @josehelps owns the TA so perhaps he can help? Happy for you to ship as experimental if you wish. |
| search: "| tstats `security_content_summariesonly` values(Processes.process) as process\ | ||
| \ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\ | ||
| \ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\ | ||
| \ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\ | ||
| \ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\ | ||
| \ where Processes.process IN (\"netstat -ant\", \"arp -a\", \"ifconfig\") by Processes.action\ | ||
| \ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\ | ||
| \ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\ | ||
| \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ | ||
| | `macos_system_network_configuration_discovery_filter`\n | `macos_system_network_configuration_discovery_filter`" |
There was a problem hiding this comment.
We already have generic coverage in CIM for this in the rule https://github.com/splunk/security_content/blob/develop/detections/endpoint/linux_system_network_discovery.yml
You just need to updated the Data Source and linked test in that rule.
We could debate if its necessary updating the name (because its incorrect now that macos is added).
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log | ||
| sourcetype: osquery:results |
There was a problem hiding this comment.
This test is pointing to unrelated data and needs updating.
| earliest_offset: $info_min_time$ | ||
| latest_offset: $info_max_time$ | ||
| rba: | ||
| message: MacOS firewall rules listed |
There was a problem hiding this comment.
This message requires additional data to be shown such as the executed command
Does not make sense to ship these if there is no easy way for a customer to get this data imo. We should work to get the TA back on splunkbase or just keep this on hold |
4 participants
Adding a couple of MacOS detections (first of many, hopefully), using data captured from TA-osquery.