A newer version is available. For the latest information, see the
current release documentation.
Authorization Plugin Modification
editAuthorization Plugin Modification
editAuthorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.
Rule type: query
Rule indices:
- auditbeat-*
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- macOS
- Threat Detection
- Persistence
Version: 1
Added (Elastic Stack release): 7.12.0
Rule authors: Elastic
Rule license: Elastic License v2
Rule query
editevent.category:file and not event.type:deletion and file.path:(/Library/Security/SecurityAgentPlugins/* and not /Library /Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*)
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
-
Technique:
- Name: Boot or Logon Autostart Execution
- ID: T1547
- Reference URL: https://attack.mitre.org/techniques/T1547/