Virtual Private Network Connection Attemptedit

Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.

Rule type: eql

Rule indices:

  • auditbeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • macOS
  • Threat Detection
  • Lateral Movement

Version: 100 (version history)

Added (Elastic Stack release): 7.12.0

Last modified (Elastic Stack release): 8.5.0

Rule authors: Elastic

Rule license: Elastic License v2

Investigation guideedit

Rule queryedit

process where event.type in ("start", "process_started") and (
( : "networksetup" and process.args :
"-connectpppoeservice") or ( : "scutil" and
process.args : "--nc" and process.args : "start") or (
: "osascript" and process.command_line : "osascript*set VPN to
service*") )

Threat mappingedit


Rule version historyedit

Version 100 (8.5.0 release)
  • Formatting only
Version 4 (8.4.0 release)
  • Formatting only
Version 2 (8.2.0 release)
  • Formatting only