nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/macos/command_and_control_unusual_network_connection_to_suspicious_web_service.toml

@@ -0,0 +1,197 @@
+[metadata]
+creation_date = "2025/03/26"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/08/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+This rule monitors for the unusual occurrence of outbound network connections to suspicious webservice domains. 
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.network-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Unusual Network Connection to Suspicious Web Service"
+note = """ ## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Unusual Network Connection to Suspicious Web Service
+
+In macOS environments, network connections to web services are routine for data sharing and collaboration. However, adversaries exploit these services for command and control by disguising malicious traffic as legitimate. The detection rule identifies unusual outbound connections to known suspicious domains, flagging potential misuse by monitoring specific domain patterns and connection events, thus aiding in early threat detection.
+
+### Possible investigation steps
+
+- Review the destination domain and process executable from the alert to determine if it matches any expected web service communication.
+- Check the event.category and event.type fields to confirm the nature of the network connection and ensure it aligns with the expected behavior of a macOS system.
+- Investigate the source host identified by host.os.type to gather information about its recent activities, installed applications, and any potential indicators of compromise.
+- Analyze network traffic logs for the source host to identify any other unusual or suspicious outbound connections that may indicate a broader compromise.
+- Correlate the alert with other security events or alerts from the same host or network segment to identify patterns or related incidents.
+- Consult threat intelligence sources to gather additional context on the flagged domain and assess its reputation and history of malicious activity.
+
+### False positive analysis
+
+- Frequent access to legitimate cloud storage services like Google Drive or Dropbox for routine file sharing can trigger false positives. Users can create exceptions for specific domains or IP addresses known to be safe and frequently accessed by their organization.
+- Automated backup services that use domains such as OneDrive or SharePoint may be flagged. To mitigate this, identify and whitelist the specific services or applications that are part of regular backup operations.
+- Collaboration tools like Slack or Discord, used for legitimate communication, might be mistakenly flagged. Users should review and whitelist these domains if they are part of standard business operations.
+- URL shorteners like bit.ly or tinyurl.com used in marketing or communication campaigns can cause false alerts. Establish a list of trusted shortener services and exclude them from monitoring if they are regularly used by the organization.
+- Development and testing environments using services like ngrok or localtunnel for temporary public URLs can be misidentified. Ensure these environments are documented and excluded from the rule if they are part of normal development workflows.
+
+### Response and remediation
+
+- Immediately isolate the affected macOS device from the network to prevent further communication with the suspicious domains.
+- Conduct a thorough review of the network logs to identify any data exfiltration attempts or additional suspicious connections originating from the isolated device.
+- Remove any unauthorized or suspicious applications or scripts found on the device that may be facilitating the outbound connections.
+- Update the device's security software and perform a full system scan to detect and remove any malware or unauthorized software.
+- Reset credentials and review access permissions for the affected user accounts to prevent unauthorized access.
+- Monitor the network for any further attempts to connect to the flagged domains and ensure that alerts are configured to notify security teams of any recurrence.
+- Escalate the incident to the security operations center (SOC) or relevant cybersecurity team for further investigation and to determine if the threat is part of a larger attack campaign.
+"""
+risk_score = 47
+rule_id = "b07f0fba-0a78-11f0-8311-b66272739ecb"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+query = '''
+event.category : "network" and host.os.type : "macos" and event.type : "start" and
+destination.domain : (
+    pastebin.* or
+    paste.ee or
+    ghostbin.com or
+    drive.google.com or
+    ?.docs.live.net or
+    api.dropboxapi.* or
+    content.dropboxapi.* or
+    *dl.dropboxusercontent.* or
+    api.onedrive.com or
+    *.onedrive.org or
+    onedrive.live.com or
+    filebin.net or
+    *.ngrok.io or
+    ngrok.com or
+    *.portmap.* or
+    *serveo.net or
+    *localtunnel.me or
+    *pagekite.me or
+    *localxpose.io or
+    *notabug.org or
+    rawcdn.githack.* or
+    paste.nrecom.net or
+    zerobin.net or
+    controlc.com or
+    requestbin.net or
+    api.slack.com or
+    slack-redir.net or
+    slack-files.com or
+    cdn.discordapp.com or
+    discordapp.com or
+    discord.com or
+    apis.azureedge.net or
+    cdn.sql.gg or
+    ?.top4top.io or
+    top4top.io or
+    uplooder.net or
+    *.cdnmegafiles.com or
+    transfer.sh or
+    updates.peer2profit.com or
+    api.telegram.org or
+    t.me or
+    meacz.gq or
+    rwrd.org or
+    *.publicvm.com or
+    *.blogspot.com or
+    api.mylnikov.org or
+    script.google.com or
+    script.googleusercontent.com or
+    paste4btc.com or
+    workupload.com or
+    temp.sh or
+    filetransfer.io or
+    gofile.io or
+    store?.gofile.io or
+    tiny.one or
+    api.notion.com or
+    *.sharepoint.com or
+    *upload.ee or
+    bit.ly or
+    t.ly or
+    cutt.ly or
+    mbasic.facebook.com or
+    api.gofile.io or
+    file.io or
+    api.anonfiles.com or
+    api.trello.com or
+    gist.githubusercontent.com or
+    dpaste.com or
+    *azurewebsites.net or
+    *.zulipchat.com or
+    *.4shared.com or
+    filecloud.me or
+    i.ibb.co or
+    files.catbox.moe or
+    *.getmyip.com or
+    mockbin.org or
+    webhook.site or
+    run.mocky.io or
+    *infinityfreeapp.com or
+    free.keep.sh or
+    tinyurl.com or
+    ftpupload.net or
+    lobfile.com or
+    *.ngrok-free.app or
+    myexternalip.com or
+    yandex.ru or
+    *.yandex.ru or
+    *.aternos.me or
+    cdn??.space or
+    *.pcloud.com or
+    mediafire.zip or
+    urlz.fr or
+    rentry.co or
+    *.b-cdn.net or
+    pastecode.dev or
+    i.imgur.com or
+    the.earth.li or
+    *.trycloudflare.com
+) and 
+not (destination.domain : (*.sharepoint.com or *.azurewebsites.net or "onedrive.live.com" or *.b-cdn.net or api.onedrive.com or "drive.google.com" or *.blogspot.com) and process.code_signature.subject_name:(*Microsoft* or "Software Signing" or "Apple Mac OS Application Signing" or *VMware*) and process.code_signature.trusted:true) and 
+not (process.code_signature.subject_name:(*Mozilla* or *Google* or *Brave* or *Opera* or "Software Signing" or *Zscaler* or *Browser*) and process.code_signature.trusted:true)  and 
+not (destination.domain :("discord.com" or cdn.discordapp.com or "content.dropboxapi.com" or "dl.dropboxusercontent.com") and process.code_signature.subject_name :(*Discord* or *Dropbox*) and process.code_signature.trusted:true)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[[rule.threat.technique]]
+id = "T1071"
+name = "Application Layer Protocol"
+reference = "https://attack.mitre.org/techniques/T1071/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1071.001"
+name = "Web Protocols"
+reference = "https://attack.mitre.org/techniques/T1071/001/"
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["host.id", "process.executable", "destination.domain"]
+
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-7d"

nldcsc_elastic_rules/rules/macos/credential_access_credentials_keychains.toml

@@ -0,0 +1,121 @@
+[metadata]
+creation_date = "2020/08/14"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/04/21"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way
+for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords,
+websites, secure notes and certificates.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.process*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Keychain CommandLine Interaction via Unsigned or Untrusted Process"
+references = [
+    "https://objective-see.com/blog/blog_0x25.html",
+    "https://securelist.com/calisto-trojan-for-macos/86543/",
+]
+risk_score = 73
+rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8"
+setup = """## Setup
+
+This rule requires data coming in from Elastic Defend.
+
+### Elastic Defend Integration Setup
+Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
+
+#### Prerequisite Requirements:
+- Fleet is required for Elastic Defend.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+
+#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
+- Go to the Kibana home page and click "Add integrations".
+- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
+- Click "Add Elastic Defend".
+- Configure the integration name and optionally add a description.
+- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
+- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
+- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
+- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
+For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
+- Click "Save and Continue".
+- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
+For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "macos" and event.type in ("start", "process_started") and event.action == "exec" and
+  process.args like ("/Users/*/Library/Keychains/*", "/Library/Keychains/*", "login.keychain-db", "login.keychain") and 
+  ((process.code_signature.trusted == false or process.code_signature.exists == false) or 
+   (process.name in ("bash", "sh", "zsh", "osascript", "cat", "echo", "cp") and 
+   (process.parent.code_signature.trusted == false or process.parent.code_signature.exists == false)))
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Keychain CommandLine Interaction via Unsigned or Untrusted Process
+
+macOS keychains securely store user credentials, such as passwords and certificates, essential for system and application authentication. Adversaries may target these directories to extract sensitive information, potentially compromising user accounts and system integrity. The detection rule identifies suspicious access attempts by monitoring process activities related to keychain directories, excluding known legitimate processes and actions, thus highlighting potential unauthorized access attempts.
+
+### Possible investigation steps
+
+- Review the process details that triggered the alert, focusing on the process.args field to identify the specific keychain directory accessed and the nature of the access attempt.
+- Examine the process.parent.executable and process.executable fields to determine the origin of the process and assess whether it is a known or potentially malicious application.
+- Investigate the process.Ext.effective_parent.executable field to trace the parent process chain and identify any unusual or unauthorized parent processes that may have initiated the access.
+- Check for any recent changes or installations on the system that could explain the access attempt, such as new software or updates that might interact with keychain directories.
+- Correlate the alert with other security events or logs from the same host to identify any patterns or additional suspicious activities that could indicate a broader compromise.
+
+### False positive analysis
+
+- Processes related to legitimate security applications like Microsoft Defender, JumpCloud Agent, and Rapid7 IR Agent may trigger false positives. Users can mitigate this by ensuring these applications are included in the exclusion list for process executables and effective parent executables.
+- Routine administrative tasks involving keychain management, such as setting keychain settings or importing certificates, might be flagged. To handle this, users should add these specific actions to the exclusion list for process arguments.
+- Applications like OpenVPN Connect and JAMF management tools that interact with keychain directories for legitimate purposes can cause false alerts. Users should verify these applications are part of the exclusion list for parent executables to prevent unnecessary alerts.
+- Regular system maintenance or updates that involve keychain access might be misinterpreted as suspicious. Users should monitor these activities and adjust the exclusion criteria as needed to accommodate known maintenance processes.
+
+### Response and remediation
+
+- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate any suspicious processes identified by the detection rule that are attempting to access keychain directories without legitimate reasons.
+- Conduct a thorough review of the system's keychain access logs to identify any unauthorized access or modifications to keychain files.
+- Change all passwords and credentials stored in the keychain on the affected system to prevent potential misuse of compromised credentials.
+- Restore the system from a known good backup if unauthorized access has led to system integrity issues or data corruption.
+- Implement additional monitoring on the affected system to detect any further unauthorized access attempts, focusing on the keychain directories and related processes.
+- Escalate the incident to the security operations team for further investigation and to determine if the threat is part of a larger attack campaign."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.001"
+name = "Keychain"
+reference = "https://attack.mitre.org/techniques/T1555/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

nldcsc_elastic_rules/rules/macos/credential_access_dumping_hashes_bi_cmds.toml

@@ -0,0 +1,113 @@
+[metadata]
+creation_date = "2021/01/25"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/03/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of macOS built-in commands used to dump user account hashes. Adversaries may attempt to dump
+credentials to obtain account login information in the form of a hash. These hashes can be cracked or leveraged for
+lateral movement.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Dumping Account Hashes via Built-In Commands"
+references = [
+    "https://apple.stackexchange.com/questions/186893/os-x-10-9-where-are-password-hashes-stored",
+    "https://www.unix.com/man-page/osx/8/mkpassdb/",
+]
+risk_score = 73
+rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3"
+setup = """## Setup
+
+This rule requires data coming in from Elastic Defend.
+
+### Elastic Defend Integration Setup
+Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
+
+#### Prerequisite Requirements:
+- Fleet is required for Elastic Defend.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+
+#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
+- Go to the Kibana home page and click "Add integrations".
+- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
+- Click "Add Elastic Defend".
+- Configure the integration name and optionally add a description.
+- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
+- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
+- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
+- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
+For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
+- Click "Save and Continue".
+- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
+For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "macos" and event.type in ("start", "process_started") and
+ process.name in ("defaults", "mkpassdb") and process.args like~ ("ShadowHashData", "-dump")
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Dumping Account Hashes via Built-In Commands
+
+In macOS environments, built-in commands like `defaults` and `mkpassdb` can be exploited by adversaries to extract user account hashes, which are crucial for credential access. These hashes, once obtained, can be cracked to reveal passwords or used for lateral movement within a network. The detection rule identifies suspicious process executions involving these commands and specific arguments, signaling potential credential dumping activities.
+
+### Possible investigation steps
+
+- Review the process execution details to confirm the presence of the `defaults` or `mkpassdb` commands with arguments like `ShadowHashData` or `-dump`, as these are indicative of credential dumping attempts.
+- Identify the user account associated with the process execution to determine if the activity aligns with expected behavior for that user or if it appears suspicious.
+- Check the historical activity of the involved user account and the host to identify any patterns or anomalies that could suggest unauthorized access or lateral movement.
+- Investigate any network connections or subsequent processes initiated by the suspicious process to assess potential data exfiltration or further malicious actions.
+- Correlate the event with other security alerts or logs from the same host or user account to build a comprehensive timeline of the activity and assess the scope of the potential compromise.
+
+### False positive analysis
+
+- System administrators or security tools may legitimately use the `defaults` or `mkpassdb` commands for system maintenance or auditing purposes. To manage these, create exceptions for known administrative accounts or tools that regularly execute these commands.
+- Automated scripts or management software might invoke these commands as part of routine operations. Identify and whitelist these scripts or software to prevent unnecessary alerts.
+- Developers or IT personnel might use these commands during testing or development phases. Establish a process to temporarily exclude these activities by setting up time-bound exceptions for specific user accounts or devices.
+- Security assessments or penetration tests could trigger this rule. Coordinate with security teams to schedule and document these activities, allowing for temporary rule adjustments during the testing period.
+
+### Response and remediation
+
+- Immediately isolate the affected macOS system from the network to prevent further lateral movement or data exfiltration.
+- Terminate any suspicious processes identified as using the `defaults` or `mkpassdb` commands with the specified arguments to halt ongoing credential dumping activities.
+- Conduct a thorough review of user accounts on the affected system to identify any unauthorized access or changes, focusing on accounts with elevated privileges.
+- Reset passwords for all potentially compromised accounts, especially those with administrative access, and enforce strong password policies.
+- Analyze system logs and network traffic to identify any additional systems that may have been accessed using the compromised credentials, and apply similar containment measures.
+- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the full scope of the breach.
+- Implement enhanced monitoring and alerting for similar suspicious activities across the network to detect and respond to future attempts promptly."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

nldcsc_elastic_rules/rules/macos/credential_access_dumping_keychain_security.toml

@@ -0,0 +1,116 @@
+[metadata]
+creation_date = "2021/01/04"
+integration = ["endpoint"]
+maturity = "production"
+updated_date = "2025/03/18"
+
+[rule]
+author = ["Elastic"]
+description = """
+Adversaries may dump the content of the keychain storage data from a system to acquire credentials. Keychains are the
+built-in way for macOS to keep track of users' passwords and credentials for many services and features, including Wi-Fi
+and website passwords, secure notes, certificates, and Kerberos.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.process*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Dumping of Keychain Content via Security Command"
+references = ["https://ss64.com/osx/security.html"]
+risk_score = 73
+rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c"
+setup = """## Setup
+
+This rule requires data coming in from Elastic Defend.
+
+### Elastic Defend Integration Setup
+Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
+
+#### Prerequisite Requirements:
+- Fleet is required for Elastic Defend.
+- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
+
+#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
+- Go to the Kibana home page and click "Add integrations".
+- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
+- Click "Add Elastic Defend".
+- Configure the integration name and optionally add a description.
+- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
+- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
+- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
+- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
+For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
+- Click "Save and Continue".
+- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
+For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
+"""
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: macOS",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Elastic Defend",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "macos" and event.type in ("start", "process_started") and 
+ process.args like~ "dump-keychain" and process.args == "-d"
+'''
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Dumping of Keychain Content via Security Command
+
+Keychains in macOS securely store user credentials, including passwords and certificates. Adversaries exploit this by using commands to extract keychain data, aiming to access sensitive information. The detection rule identifies suspicious activity by monitoring processes that initiate keychain dumps, specifically looking for command-line arguments associated with this malicious behavior, thus alerting analysts to potential credential theft attempts.
+
+### Possible investigation steps
+
+- Review the process details to identify the parent process and determine if the keychain dump was initiated by a legitimate application or user.
+- Examine the user account associated with the process to verify if the activity aligns with their typical behavior or if the account may be compromised.
+- Check the timestamp of the event to correlate with any other suspicious activities or anomalies on the system around the same time.
+- Investigate the command-line arguments used in the process to confirm if they match known patterns of malicious keychain dumping attempts.
+- Analyze any network connections or data transfers initiated by the process to identify potential exfiltration of the dumped keychain data.
+- Look for additional alerts or logs from the same host or user to assess if this is part of a broader attack campaign.
+
+### False positive analysis
+
+- Legitimate administrative tasks or system maintenance activities may trigger the rule if they involve keychain access. Users should review the context of the process initiation to determine if it aligns with routine administrative operations.
+- Security or IT tools that perform regular audits or backups of keychain data might be flagged. Users can create exceptions for these tools by identifying their specific process names or paths and excluding them from the rule.
+- Developers or advanced users testing applications that require keychain access might inadvertently trigger the rule. Users should document these activities and consider temporary exclusions during development phases.
+- Automated scripts or workflows that interact with keychain data for legitimate purposes could be mistaken for malicious activity. Users should ensure these scripts are well-documented and consider adding them to an allowlist if they are frequently used.
+
+### Response and remediation
+
+- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
+- Terminate any suspicious processes identified by the detection rule, specifically those involving the "dump-keychain" command, to halt ongoing credential theft attempts.
+- Conduct a thorough review of the system's keychain access logs to identify any unauthorized access or export of credentials and determine the scope of the compromise.
+- Change all credentials stored in the keychain, including passwords for Wi-Fi, websites, and any other services, to mitigate the risk of unauthorized access using stolen credentials.
+- Restore the system from a known good backup if any unauthorized changes or malware are detected, ensuring that the backup predates the compromise.
+- Escalate the incident to the security operations team for further investigation and to assess whether additional systems may be affected.
+- Implement enhanced monitoring and alerting for similar suspicious activities, focusing on keychain access and command-line arguments related to credential dumping, to prevent future incidents."""
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
+[[rule.threat.technique.subtechnique]]
+id = "T1555.001"
+name = "Keychain"
+reference = "https://attack.mitre.org/techniques/T1555/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+