Modification of Environment Variable via Launchctl | Elastic Security Solution [7.12]

IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› › ›

« Modification of Dynamic Linker Preload Shared Object Modification of OpenSSH Binaries »

Modification of Environment Variable via Launchctledit

Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.

Rule type: query

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://github.com/rapid7/metasploit-framework/blob/master//modules/post/osx/escalate/tccbypass.rb

Tags:

Elastic
Host
macOS
Threat Detection
Defense Evasion

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule queryedit

event.category:process and event.type:start and process.name:launchctl
and process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or
DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME))

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Hijack Execution Flow
- ID: T1574
- Reference URL: https://attack.mitre.org/techniques/T1574/

« Modification of Dynamic Linker Preload Shared Object Modification of OpenSSH Binaries »