IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Strace Process Activity Sudo Heap-Based Buffer Overflow Attempt »

› › ›

Sublime Plugin or Application Script Modification

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Sublime Plugin or Application Script Modification

edit

Adversaries may create or modify the Sublime application plugins or scripts to execute a malicious payload each time the Sublime application is started.

Rule type: eql

Rule indices:

auditbeat-*
logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5

Tags:

Elastic
Host
macOS
Threat Detection
Persistence

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit

file where event.type in ("change", "creation") and file.extension :
"py" and file.path : ( "/Users/*/Library/Application
Support/Sublime Text*/Packages/*.py", "/Applications/Sublime
Text.app/Contents/MacOS/sublime.py" ) and not process.executable
: ( "/Applications/Sublime Text*.app/Contents/MacOS/Sublime
Text*", "/usr/local/Cellar/git/*/bin/git",
"/usr/libexec/xpcproxy", "/System/Library/PrivateFrameworks/Des
ktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper"
, "/Applications/Sublime Text.app/Contents/MacOS/plugin_host"
)

Threat mapping

edit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Compromise Client Software Binary
- ID: T1554
- Reference URL: https://attack.mitre.org/techniques/T1554/

« Strace Process Activity Sudo Heap-Based Buffer Overflow Attempt »