
The executive guide to generative AI

Read more

Update v8.10.7


This section lists all updates associated with version 8.10.7 of the Fleet integration Prebuilt Security Detection Rules.

Rule Description Status Version

Potential Okta MFA Bombing via Push Notifications

Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.



First Occurrence of Okta User Session Started via Proxy

Identifies the first occurrence of an Okta user session started via a proxy.



Multiple Okta Users with the Same Device Token Hash

Detects when Okta user or system events are reported for multiple users with the same device token hash.



Multiple Okta Client Addresses for a Single User Session

Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user’s Okta account and is using it to access the organization’s resources.



New Okta Authentication Behavior Detected

Detects events where Okta behavior detection has identified a new authentication behavior.



Okta FastPass Phishing Detection

Detects when Okta FastPass prevents a user from authenticating to a phishing website.



Okta User Sessions Started from Different Geolocations

Detects when a specific Okta actor has multiple sessions started from different geolocations.



Okta Sign-In Events via Third-Party IdP

Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).



Multiple Okta Sessions Detected for a Single User

Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user’s session cookie and is using it to access the user’s account from a different location.



New Okta Identity Provider (IdP) Added by Admin

Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.



First Time Seen NewCredentials Logon Process

Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token forging capability that are often abused to bypass access control restrictions.



Potentially Successful MFA Bombing via Push Notifications

Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured for an organization to obtain unauthorized access.



Access of Stored Browser Credentials

Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser.



Access to Keychain Credentials Directories

Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates.



Dumping Account Hashes via Built-In Commands

Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for lateral movement.



Dumping of Keychain Content via Security Command

Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.



Kerberos Cached Credentials Dumping

Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.



Keychain Password Retrieval via Command Line

Adversaries may collect keychain storage data from a system to in order to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos.



WebProxy Settings Modification

Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.



Potential macOS SSH Brute Force Detected

Identifies a high number (20) of macOS SSH KeyGen process executions from the same host. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.



Prompt for Credentials with OSASCRIPT

Identifies the use of osascript to execute scripts via standard input that may prompt a user with a rogue dialog for credentials.



SystemKey Access via Command Line

Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi and website passwords, secure notes, certificates, and Kerberos. Adversaries may collect the keychain storage data from a system to acquire credentials.



SoftwareUpdate Preferences Modification

Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.



Attempt to Remove File Quarantine Attribute

Identifies a potential Gatekeeper bypass. In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple’s Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses.



Attempt to Disable Gatekeeper

Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security feature that’s designed to ensure that only trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.



Attempt to Install Root Certificate

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to their command and control servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.



Modification of Environment Variable via Launchctl

Identifies modifications to an environment variable using the built-in launchctl command. Adversaries may execute their own malicious payloads by hijacking certain environment variables to load arbitrary libraries or bypass certain restrictions.



Potential Privacy Control Bypass via TCCDB Modification

Identifies the use of sqlite3 to directly modify the Transparency, Consent, and Control (TCC) SQLite database. This may indicate an attempt to bypass macOS privacy controls, including access to sensitive resources like the system camera, microphone, address book, and calendar.



Potential Privacy Control Bypass via Localhost Secure Copy

Identifies use of the Secure Copy Protocol (SCP) to copy files locally by abusing the auto addition of the Secure Shell Daemon (sshd) to the authorized application list for Full Disk Access. This may indicate attempts to bypass macOS privacy controls to access sensitive files.



Modification of Safari Settings via Defaults Command

Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.



Potential Microsoft Office Sandbox Evasion

Identifies the creation of a suspicious zip file prepended with special characters. Sandboxed Microsoft Office applications on macOS are allowed to write files that start with special characters, which can be combined with an AutoStart location to achieve sandbox evasion.



TCC Bypass via Mounted APFS Snapshot Access

Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple’s privacy framework (TCC).



Attempt to Unload Elastic Endpoint Security Kernel Extension

Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.



Enumeration of Users or Groups via Built-in Commands

Identifies the execution of macOS built-in commands related to account or group enumeration. Adversaries may use account and group information to orient themselves before deciding how to act.



Execution via Electron Child Process Node.js Module

Identifies attempts to execute a child process from within the context of an Electron application using the child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.



Suspicious Browser Child Process

Identifies the execution of a suspicious browser child process. Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation.



MacOS Installer Package Spawns Network Event

Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package.



Suspicious Automator Workflows Execution

Identifies the execution of the Automator Workflows process followed by a network connection from it’s XPC service. Adversaries may drop a custom workflow template that hosts malicious JavaScript for Automation (JXA) code as an alternative to using osascript.



Apple Script Execution followed by Network Connection

Detects execution via the Apple script interpreter (osascript) followed by a network connection from the same process within a short time period. Adversaries may use malicious scripts for execution and command and control.



Shell Execution via Apple Scripting

Identifies the execution of the shell process (sh) via scripting (JXA or AppleScript). Adversaries may use the doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.



Suspicious macOS MS Office Child Process

Identifies suspicious child processes of frequently targeted Microsoft Office applications (Word, PowerPoint, and Excel). These child processes are often launched during exploitation of Office applications or by documents with malicious macros.



Potential Kerberos Attack via Bifrost

Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.



Attempt to Mount SMB Share via Command Line

Identifies the execution of macOS built-in commands to mount a Server Message Block (SMB) network share. Adversaries may use valid accounts to interact with a remote network share using SMB.



Remote SSH Login Enabled via systemsetup Command

Detects use of the systemsetup command to enable remote SSH Login.



Virtual Private Network Connection Attempt

Identifies the execution of macOS built-in commands to connect to an existing Virtual Private Network (VPN). Adversaries may use VPN connections to laterally move and control remote systems on a network.



Potential Hidden Local User Account Creation

Identifies attempts to create a local account that will be hidden from the macOS logon window. This may indicate an attempt to evade user attention while maintaining persistence using a separate local account.



Launch Agent Creation or Modification and Immediate Loading

An adversary can establish persistence by installing a new launch agent that executes at login by using launchd or launchctl to load a plist into the appropriate directories.



Creation of Hidden Login Item via Apple Script

Identifies the execution of osascript to create a hidden login item. This may indicate an attempt to persist a malicious program while concealing its presence.



LaunchDaemon Creation or Modification and Immediate Loading

Indicates the creation or modification of a launch daemon, which adversaries may use to repeatedly execute malicious payloads as part of persistence.



Authorization Plugin Modification

Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.



Suspicious CronTab Creation or Modification

Identifies attempts to create or modify a crontab via a process that is not crontab (i.e python, osascript, etc.). This activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.



Suspicious Hidden Child Process of Launchd

Identifies the execution of a launchd child process with a hidden file. An adversary can establish persistence by installing a new logon item, launch agent, or daemon that executes upon login.



Persistence via DirectoryService Plugin Modification

Identifies the creation or modification of a DirectoryService PlugIns (dsplug) file. The DirectoryService daemon launches on each system boot and automatically reloads after crash. It scans and executes bundles that are located in the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.



Persistence via Docker Shortcut Modification

An adversary can establish persistence by modifying an existing macOS dock property list in order to execute a malicious application instead of the intended one when invoked.



Emond Rules Creation or Modification

Identifies the creation or modification of the Event Monitor Daemon (emond) rules. Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.



Suspicious Emond Child Process

Identifies the execution of a suspicious child process of the Event Monitor Daemon (emond). Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.



Attempt to Enable the Root Account

Identifies attempts to enable the root account using the dsenableroot command. This command may be abused by adversaries for persistence, as the root account is disabled by default.



Creation of Hidden Launch Agent or Daemon

Identifies the creation of a hidden launch agent or daemon. An adversary may establish persistence by installing a new launch agent or daemon which executes at login.



Finder Sync Plugin Registered and Enabled

Finder Sync plugins enable users to extend Finder’s functionality by modifying the user interface. Adversaries may abuse this feature by adding a rogue Finder Plugin to repeatedly execute malicious payloads for persistence.



Persistence via Folder Action Script

Detects modification of a Folder Action script. A Folder Action script is executed when the folder to which it is attached has items added or removed, or when its window is opened, closed, moved, or resized. Adversaries may abuse this feature to establish persistence by utilizing a malicious script.



Persistence via Login or Logout Hook

Identifies use of the Defaults command to install a login or logoff hook in MacOS. An adversary may abuse this capability to establish persistence in an environment by inserting code to be executed at login or logout.



Potential Persistence via Login Hook

Identifies the creation or modification of the login window property list (plist). Adversaries may modify plist files to run a program during system boot or user login for persistence.



Sublime Plugin or Application Script Modification

Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.



Potential Persistence via Periodic Tasks

Identifies the creation or modification of the default configuration for periodic tasks. Adversaries may abuse periodic tasks to execute malicious code or maintain persistence.



Unexpected Child Process of macOS Screensaver Engine

Identifies when a child process is spawned by the screensaver engine process, which is consistent with an attacker’s malicious payload being executed after the screensaver activated on the endpoint. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.



Screensaver Plist File Modified by Unexpected Process

Identifies when a screensaver plist file is modified by an unexpected process. An adversary can maintain persistence on a macOS endpoint by creating a malicious screensaver (.saver) file and configuring the screensaver plist file to execute code each time the screensaver is activated.



Suspicious Calendar File Modification

Identifies suspicious modifications of the calendar file by an unusual process. Adversaries may create a custom calendar notification procedure to execute a malicious program at a recurring interval to establish persistence.



Potential Persistence via Atom Init Script Modification

Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the file that will be executed upon the Atom application opening.



Apple Scripting Execution with Administrator Privileges

Identifies execution of the Apple script interpreter (osascript) without a password prompt and with administrator privileges.



Execution with Explicit Credentials via Scripting

Identifies execution of the security_authtrampoline process via a scripting interpreter. This occurs when programs use AuthorizationExecute-WithPrivileges from the Security.framework to run another program with root privileges. It should not be run by itself, as this is a sign of execution with explicit logon credentials.



Suspicious Child Process of Adobe Acrobat Reader Update Service

Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.



Potential Admin Group Account Addition

Identifies attempts to add an account to the admin group via the command line. This could be an indication of privilege escalation activity.



Privilege Escalation via Root Crontab File Modification

Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.



Remote File Copy via TeamViewer

Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.



Suspicious WerFault Child Process

A suspicious WerFault child process was detected, which may indicate an attempt to run via the SilentProcessExit registry key manipulation. Verify process details such as command line, network connections and file writes.



Suspicious Managed Code Hosting Process

Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious code execution.



Remote Execution via File Shares

Identifies the execution of a file that was created by the virtual system process. This may indicate lateral movement via network file shares.



Account Configured with Never-Expiring Password

Detects the creation and modification of an account with the "Don’t Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property.



Creation of a Hidden Local User Account

Identifies the creation of a hidden local user account by appending the dollar sign to the account name. This is sometimes done by attackers to increase access to a system and avoid appearing in the results of accounts listing using the net users command.



Was this helpful?