[New Rule] TLS Traffic Intercept on MacOS

[aarju]

Description

Based on the reference links for the "WebProxy Settings Modification" detection rule if an attacker wants to intercept TLS from a Mac system they will attempt to install a webproxy service and also install a new Root Certificate. Doing only one step without the other is less likely to indicate an attack.

I recommend an EQL rule that creates a critical alert when both alerts are seen on a single host within a 24h timespan. The long timespan is because sometimes making changes to the webproxy requires a reboot so it is possible the attacker could do these as two discreet actions.

Required Info

Target indexes

.siem-signals-*

Additional requirements

The "WebProxy Settings Modification" and the "Attempt to Install Root Certificate" rules need to be deployed for this to work. The .siem-signals-* index pattern needs to be available to the detection engine as well. If the users are using Kibana spaces they may want to update the index pattern to use .siem-signals-<spacename>-*.

Target Operating Systems

macOS

Optional Info

Query

sequence by host.name with maxspan=24h
  [any where signal.rule.name == "WebProxy Settings Modification"]
  [any where signal.rule.name == "Attempt to Install Root Certificate"]

The order of the creation of the detections may be either way so it would probably be good to account for cases where each of them come first.

Note that this will break if the user duplicates the rule to make a custom named copy of the signal rather than use the built in name.

New fields required in ECS/data sources for this rule?

Related issues or PRs

References

Example Data

[botelastic[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.