System and Network Configuration Check

Detects when the SystemConfiguration preferences plist file is accessed by an unusual or suspicious process. This may indicate an attempt to gain situational awareness on a target system by reading network configuration details.

Rule type: eql
Rule indices:

• logs-endpoint.events.file-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

Tags:

• Domain: Endpoint
• OS: macOS
• Use Case: Threat Detection
• Tactic: Discovery
• Data Source: Elastic Defend

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

file where host.os.type == "macos" and event.action == "open" and
  file.path like "/Library/Preferences/SystemConfiguration/preferences.plist" and
  (process.name like~ ("python*", "osascript", "perl", "ruby") or
   process.executable like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/var/tmp/*", "/private/var/tmp/*")) and
  not Effective_process.executable like "/Applications/Docker.app/Contents/MacOS/Docker"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Discovery
  • Id: TA0007
  • Reference URL: https://attack.mitre.org/tactics/TA0007/

• Technique:

  • Name: System Information Discovery
  • Id: T1082
  • Reference URL: https://attack.mitre.org/techniques/T1082/

• Technique:

  • Name: System Network Configuration Discovery
  • Id: T1016
  • Reference URL: https://attack.mitre.org/techniques/T1016/