From f8eac4702eaca1ede97ced2a768b98ebe638814e Mon Sep 17 00:00:00 2001 From: jwindley <15244271+jwindley@users.noreply.github.com> Date: Mon, 8 Sep 2025 20:25:21 +0100 Subject: [PATCH 1/7] New MacOS detections T1016 --- .../endpoint/macos_list_firewall_rules.yml | 66 +++++++++++++++++++ ...system_network_configuration_discovery.yml | 65 ++++++++++++++++++ 2 files changed, 131 insertions(+) create mode 100644 detections/endpoint/macos_list_firewall_rules.yml create mode 100644 detections/endpoint/macos_system_network_configuration_discovery.yml diff --git a/detections/endpoint/macos_list_firewall_rules.yml b/detections/endpoint/macos_list_firewall_rules.yml new file mode 100644 index 0000000000..e797dd31b7 --- /dev/null +++ b/detections/endpoint/macos_list_firewall_rules.yml @@ -0,0 +1,66 @@ +name: MacOS List Firewall Rules +id: f8db6e0b-55bb-40ca-bc85-2b3700adb0f8 +version: 1 +date: '2025-09-08' +author: Jamie Windley, Splunk +status: production +type: Anomaly +description: This analytic detects attempts to enumerate or verify the configuration of the macOS application firewall. Specifically, it monitors executions of `defaults read /Library/Preferences/com.apple.alf` and `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`. These commands provide insight into firewall status, allowed applications, and explicit authorization rules. While they are legitimate administrative operations, adversaries may leverage them to identify potential attack surfaces, determine whether the firewall is active, or enumerate allowed network flows. Monitoring for these commands, particularly when executed by non-administrative users or at unusual times, can provide early indication of reconnaissance activity on macOS endpoints +data_source: +- osquery +search: "| tstats `security_content_summariesonly` values(Processes.process) as process\ + \ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\ + \ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\ + \ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\ + \ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\ + \ where Processes.process IN (\"*defaults read /Library/Preferences/com.apple.alf*\"\ + \ \"*/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate*\") by Processes.action\ + \ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\ + \ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\ + \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ + | `macos_list_firewall_rules_filter`\n | `macos_list_firewall_rules_filter`" +how_to_implement: Collection of process execution events from macOS endpoints is required. This can be achieved using osquery’s `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp. +known_false_positives: These commands are frequently executed by system administrators or IT personnel during routine configuration checks, troubleshooting, or automated maintenance scripts. Security tools or monitoring agents may also query firewall status for inventory or compliance purposes. To reduce false positives, consider excluding events from known administrative accounts, trusted management systems, or scheduled maintenance jobs. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: MacOS firewall rules listed + risk_objects: + - field: dest + type: system + score: 6 + - field: user + type: user + score: 6 + threat_objects: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + mitre_attack_id: + - T1016 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + sourcetype: osquery:results + source: local_vm \ No newline at end of file diff --git a/detections/endpoint/macos_system_network_configuration_discovery.yml b/detections/endpoint/macos_system_network_configuration_discovery.yml new file mode 100644 index 0000000000..efe2a7df3d --- /dev/null +++ b/detections/endpoint/macos_system_network_configuration_discovery.yml @@ -0,0 +1,65 @@ +name: MacOS System Network Configuration Discovery +id: 66945806-0891-4055-952f-ea11b7bc54dd +version: 1 +date: '2025-09-08' +author: Jamie Windley +status: production +type: Anomaly +description: This analytic detects the execution of common network configuration discovery commands on macOS systems. Specifically, it focuses on instances of `netstat -ant`, `arp -a`, and `ifconfig`. These utilities are often used for legitimate troubleshooting, but they are also frequently leveraged by adversaries during the reconnaissance phase to enumerate network interfaces, identify active connections, and discover other hosts within the same broadcast domain. Monitoring for the use of these commands, particularly when executed by unexpected users or during unusual time periods, can provide early warning of potentially malicious activity. +data_source: +- osquery +search: "| tstats `security_content_summariesonly` values(Processes.process) as process\ + \ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\ + \ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\ + \ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\ + \ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\ + \ where Processes.process IN (\"netstat -ant\", \"arp -a\", \"ifconfig\") by Processes.action\ + \ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\ + \ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\ + \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ + | `macos_system_network_configuration_discovery_filter`\n | `macos_system_network_configuration_discovery_filter`" +how_to_implement: Collection of process execution events from macOS endpoints is required. This can be achieved using osquery’s `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp. +known_false_positives: These commands are commonly executed by system administrators, help desk personnel, monitoring agents, and diagnostic scripts as part of routine system maintenance. Security tools and network monitoring utilities may also invoke these commands for inventory or health check purposes. To reduce false positives, consider excluding events originating from trusted management hosts, known administrative accounts, or processes executed on a predictable schedule. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: MacOS system network configuration discovery command observed + risk_objects: + - field: dest + type: system + score: 6 + - field: user + type: user + score: 6 + threat_objects: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + mitre_attack_id: + - T1016 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + sourcetype: osquery:results + source: local_vm \ No newline at end of file From 14e718913d06924a25b3259609b6f66b91d411a5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 12 Nov 2025 17:16:57 +0100 Subject: [PATCH 2/7] Update macos_list_firewall_rules.yml --- .../endpoint/macos_list_firewall_rules.yml | 107 ++++++++++++------ 1 file changed, 70 insertions(+), 37 deletions(-) diff --git a/detections/endpoint/macos_list_firewall_rules.yml b/detections/endpoint/macos_list_firewall_rules.yml index e797dd31b7..661b8ce026 100644 --- a/detections/endpoint/macos_list_firewall_rules.yml +++ b/detections/endpoint/macos_list_firewall_rules.yml @@ -5,47 +5,81 @@ date: '2025-09-08' author: Jamie Windley, Splunk status: production type: Anomaly -description: This analytic detects attempts to enumerate or verify the configuration of the macOS application firewall. Specifically, it monitors executions of `defaults read /Library/Preferences/com.apple.alf` and `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`. These commands provide insight into firewall status, allowed applications, and explicit authorization rules. While they are legitimate administrative operations, adversaries may leverage them to identify potential attack surfaces, determine whether the firewall is active, or enumerate allowed network flows. Monitoring for these commands, particularly when executed by non-administrative users or at unusual times, can provide early indication of reconnaissance activity on macOS endpoints +description: | + This analytic detects attempts to enumerate or verify the configuration of the macOS application firewall. + Specifically, it monitors executions of `defaults read /Library/Preferences/com.apple.alf` and `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`. + These commands provide insight into firewall status, allowed applications, and explicit authorization rules. + While they are legitimate administrative operations, adversaries may leverage them to identify potential attack surfaces, determine whether the firewall is active, or enumerate allowed network flows. + Monitoring for these commands, particularly when executed by non-administrative users or at unusual times, can provide early indication of reconnaissance activity on macOS endpoints data_source: - osquery -search: "| tstats `security_content_summariesonly` values(Processes.process) as process\ - \ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\ - \ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\ - \ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\ - \ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\ - \ where Processes.process IN (\"*defaults read /Library/Preferences/com.apple.alf*\"\ - \ \"*/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate*\") by Processes.action\ - \ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\ - \ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\ - \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ - | `macos_list_firewall_rules_filter`\n | `macos_list_firewall_rules_filter`" -how_to_implement: Collection of process execution events from macOS endpoints is required. This can be achieved using osquery’s `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp. -known_false_positives: These commands are frequently executed by system administrators or IT personnel during routine configuration checks, troubleshooting, or automated maintenance scripts. Security tools or monitoring agents may also query firewall status for inventory or compliance purposes. To reduce false positives, consider excluding events from known administrative accounts, trusted management systems, or scheduled maintenance jobs. -references: [] +search: | + | tstats `security_content_summariesonly` + count + values(Processes.process) as process + values(Processes.parent_process) AS parent_process + values(Processes.parent_process_exec) AS parent_process_exec + values(Processes.parent_process_id) AS parent_process_id + values(Processes.parent_process_name) AS parent_process_name + values(Processes.parent_process_path) AS parent_process_path + min(_time) as firstTime + max(_time) as lastTime + + from datamodel=Endpoint.Processes where + ( + Processes.process_name = "defaults" + Processes.process = "* read *", + Processes.process = "*/Library/Preferences/com.apple.alf*" + ) + OR + ( + Processes.process_name = "socketfilterfw" + Processes.process = "*--getglobalstate*" + ) + + by Processes.action Processes.dest Processes.process Processes.process_hash + Processes.process_id Processes.process_name Processes.process_path + Processes.user Processes.vendor_product + + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `macos_list_firewall_rules_filter` +how_to_implement: | + Collection of process execution events from macOS endpoints is required. This can be achieved using osquery's `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp. +known_false_positives: | + These commands are frequently executed by system administrators or IT personnel during routine configuration checks, troubleshooting, or automated maintenance scripts. Security tools or monitoring agents may also query firewall status for inventory or compliance purposes. To reduce false positives, consider excluding events from known administrative accounts, trusted management systems, or scheduled maintenance jobs. +references: + - https://www.manpagez.com/man/8/socketfilterfw/ + - https://ss64.com/mac/defaults.html drilldown_searches: -- name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", - "$dest$") starthoursago=168 | stats count min(_time) - as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) - as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ rba: message: MacOS firewall rules listed risk_objects: - - field: dest - type: system - score: 6 - - field: user - type: user - score: 6 - threat_objects: [] + - field: dest + type: system + score: 6 + - field: user + type: user + score: 6 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name tags: analytic_story: - Network Discovery @@ -57,10 +91,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: [] tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log sourcetype: osquery:results - source: local_vm \ No newline at end of file + source: osquery From 7effc6f4756bbefc90c7ca6c87e11e3baafeb99c Mon Sep 17 00:00:00 2001 From: jwindley <15244271+jwindley@users.noreply.github.com> Date: Mon, 8 Sep 2025 20:25:21 +0100 Subject: [PATCH 3/7] New MacOS detections T1016 --- .../endpoint/macos_list_firewall_rules.yml | 66 +++++++++++++++++++ ...system_network_configuration_discovery.yml | 65 ++++++++++++++++++ 2 files changed, 131 insertions(+) create mode 100644 detections/endpoint/macos_list_firewall_rules.yml create mode 100644 detections/endpoint/macos_system_network_configuration_discovery.yml diff --git a/detections/endpoint/macos_list_firewall_rules.yml b/detections/endpoint/macos_list_firewall_rules.yml new file mode 100644 index 0000000000..e797dd31b7 --- /dev/null +++ b/detections/endpoint/macos_list_firewall_rules.yml @@ -0,0 +1,66 @@ +name: MacOS List Firewall Rules +id: f8db6e0b-55bb-40ca-bc85-2b3700adb0f8 +version: 1 +date: '2025-09-08' +author: Jamie Windley, Splunk +status: production +type: Anomaly +description: This analytic detects attempts to enumerate or verify the configuration of the macOS application firewall. Specifically, it monitors executions of `defaults read /Library/Preferences/com.apple.alf` and `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`. These commands provide insight into firewall status, allowed applications, and explicit authorization rules. While they are legitimate administrative operations, adversaries may leverage them to identify potential attack surfaces, determine whether the firewall is active, or enumerate allowed network flows. Monitoring for these commands, particularly when executed by non-administrative users or at unusual times, can provide early indication of reconnaissance activity on macOS endpoints +data_source: +- osquery +search: "| tstats `security_content_summariesonly` values(Processes.process) as process\ + \ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\ + \ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\ + \ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\ + \ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\ + \ where Processes.process IN (\"*defaults read /Library/Preferences/com.apple.alf*\"\ + \ \"*/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate*\") by Processes.action\ + \ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\ + \ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\ + \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ + | `macos_list_firewall_rules_filter`\n | `macos_list_firewall_rules_filter`" +how_to_implement: Collection of process execution events from macOS endpoints is required. This can be achieved using osquery’s `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp. +known_false_positives: These commands are frequently executed by system administrators or IT personnel during routine configuration checks, troubleshooting, or automated maintenance scripts. Security tools or monitoring agents may also query firewall status for inventory or compliance purposes. To reduce false positives, consider excluding events from known administrative accounts, trusted management systems, or scheduled maintenance jobs. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: MacOS firewall rules listed + risk_objects: + - field: dest + type: system + score: 6 + - field: user + type: user + score: 6 + threat_objects: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + mitre_attack_id: + - T1016 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + sourcetype: osquery:results + source: local_vm \ No newline at end of file diff --git a/detections/endpoint/macos_system_network_configuration_discovery.yml b/detections/endpoint/macos_system_network_configuration_discovery.yml new file mode 100644 index 0000000000..efe2a7df3d --- /dev/null +++ b/detections/endpoint/macos_system_network_configuration_discovery.yml @@ -0,0 +1,65 @@ +name: MacOS System Network Configuration Discovery +id: 66945806-0891-4055-952f-ea11b7bc54dd +version: 1 +date: '2025-09-08' +author: Jamie Windley +status: production +type: Anomaly +description: This analytic detects the execution of common network configuration discovery commands on macOS systems. Specifically, it focuses on instances of `netstat -ant`, `arp -a`, and `ifconfig`. These utilities are often used for legitimate troubleshooting, but they are also frequently leveraged by adversaries during the reconnaissance phase to enumerate network interfaces, identify active connections, and discover other hosts within the same broadcast domain. Monitoring for the use of these commands, particularly when executed by unexpected users or during unusual time periods, can provide early warning of potentially malicious activity. +data_source: +- osquery +search: "| tstats `security_content_summariesonly` values(Processes.process) as process\ + \ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\ + \ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\ + \ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\ + \ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\ + \ where Processes.process IN (\"netstat -ant\", \"arp -a\", \"ifconfig\") by Processes.action\ + \ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\ + \ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\ + \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ + | `macos_system_network_configuration_discovery_filter`\n | `macos_system_network_configuration_discovery_filter`" +how_to_implement: Collection of process execution events from macOS endpoints is required. This can be achieved using osquery’s `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp. +known_false_positives: These commands are commonly executed by system administrators, help desk personnel, monitoring agents, and diagnostic scripts as part of routine system maintenance. Security tools and network monitoring utilities may also invoke these commands for inventory or health check purposes. To reduce false positives, consider excluding events originating from trusted management hosts, known administrative accounts, or processes executed on a predictable schedule. +references: [] +drilldown_searches: +- name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", + "$dest$") starthoursago=168 | stats count min(_time) + as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) + as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) + as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" + by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: MacOS system network configuration discovery command observed + risk_objects: + - field: dest + type: system + score: 6 + - field: user + type: user + score: 6 + threat_objects: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + mitre_attack_id: + - T1016 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: [] +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + sourcetype: osquery:results + source: local_vm \ No newline at end of file From 9240b85e02d0a11429266458ca5fa727addf2a76 Mon Sep 17 00:00:00 2001 From: jwindley <15244271+jwindley@users.noreply.github.com> Date: Wed, 12 Nov 2025 20:10:59 +0000 Subject: [PATCH 4/7] Address PR review comments --- .../linux_system_network_discovery.yml | 4 ++ .../endpoint/macos_list_firewall_rules.yml | 4 +- ...system_network_configuration_discovery.yml | 65 ------------------- 3 files changed, 6 insertions(+), 67 deletions(-) delete mode 100644 detections/endpoint/macos_system_network_configuration_discovery.yml diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index 0ae646262b..20f9acab4d 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -15,6 +15,7 @@ description: The following analytic identifies potential enumeration of local ne movement within the environment. data_source: - Sysmon for Linux EventID 1 +- osquery search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.action) as action values(Processes.dest) as dest values(Processes.original_file_name) as original_file_name values(Processes.parent_process) as parent_process values(Processes.parent_process_exec) @@ -85,3 +86,6 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/linux_net_discovery/sysmon_linux.log source: Syslog:Linux-Sysmon/Operational sourcetype: sysmon:linux + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + sourcetype: osquery:results + source: local_vm \ No newline at end of file diff --git a/detections/endpoint/macos_list_firewall_rules.yml b/detections/endpoint/macos_list_firewall_rules.yml index e797dd31b7..56186069ec 100644 --- a/detections/endpoint/macos_list_firewall_rules.yml +++ b/detections/endpoint/macos_list_firewall_rules.yml @@ -37,7 +37,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: MacOS firewall rules listed + message: MacOS firewall rules listed by $user$ on $dest$ risk_objects: - field: dest type: system @@ -61,6 +61,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log sourcetype: osquery:results source: local_vm \ No newline at end of file diff --git a/detections/endpoint/macos_system_network_configuration_discovery.yml b/detections/endpoint/macos_system_network_configuration_discovery.yml deleted file mode 100644 index efe2a7df3d..0000000000 --- a/detections/endpoint/macos_system_network_configuration_discovery.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: MacOS System Network Configuration Discovery -id: 66945806-0891-4055-952f-ea11b7bc54dd -version: 1 -date: '2025-09-08' -author: Jamie Windley -status: production -type: Anomaly -description: This analytic detects the execution of common network configuration discovery commands on macOS systems. Specifically, it focuses on instances of `netstat -ant`, `arp -a`, and `ifconfig`. These utilities are often used for legitimate troubleshooting, but they are also frequently leveraged by adversaries during the reconnaissance phase to enumerate network interfaces, identify active connections, and discover other hosts within the same broadcast domain. Monitoring for the use of these commands, particularly when executed by unexpected users or during unusual time periods, can provide early warning of potentially malicious activity. -data_source: -- osquery -search: "| tstats `security_content_summariesonly` values(Processes.process) as process\ - \ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\ - \ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\ - \ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\ - \ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\ - \ where Processes.process IN (\"netstat -ant\", \"arp -a\", \"ifconfig\") by Processes.action\ - \ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\ - \ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\ - \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ - | `macos_system_network_configuration_discovery_filter`\n | `macos_system_network_configuration_discovery_filter`" -how_to_implement: Collection of process execution events from macOS endpoints is required. This can be achieved using osquery’s `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp. -known_false_positives: These commands are commonly executed by system administrators, help desk personnel, monitoring agents, and diagnostic scripts as part of routine system maintenance. Security tools and network monitoring utilities may also invoke these commands for inventory or health check purposes. To reduce false positives, consider excluding events originating from trusted management hosts, known administrative accounts, or processes executed on a predictable schedule. -references: [] -drilldown_searches: -- name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", - "$dest$") starthoursago=168 | stats count min(_time) - as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) - as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: MacOS system network configuration discovery command observed - risk_objects: - - field: dest - type: system - score: 6 - - field: user - type: user - score: 6 - threat_objects: [] -tags: - analytic_story: - - Network Discovery - asset_type: Endpoint - mitre_attack_id: - - T1016 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint - cve: [] -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log - sourcetype: osquery:results - source: local_vm \ No newline at end of file From 3dc5f80c3ecb962736f5201263b9f6603f98086b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 13 Nov 2025 10:07:45 +0100 Subject: [PATCH 5/7] small updates --- detections/endpoint/linux_system_network_discovery.yml | 6 +++--- detections/endpoint/macos_list_firewall_rules.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index 20f9acab4d..eba0f68e5d 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -1,7 +1,7 @@ name: Linux System Network Discovery id: 535cb214-8b47-11ec-a2c7-acde48001122 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-11-13' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -88,4 +88,4 @@ tests: sourcetype: sysmon:linux - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log sourcetype: osquery:results - source: local_vm \ No newline at end of file + source: osquery diff --git a/detections/endpoint/macos_list_firewall_rules.yml b/detections/endpoint/macos_list_firewall_rules.yml index 661b8ce026..2a5172dee2 100644 --- a/detections/endpoint/macos_list_firewall_rules.yml +++ b/detections/endpoint/macos_list_firewall_rules.yml @@ -67,7 +67,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: MacOS firewall rules listed + message: MacOS firewall rules listed by $user$ on $dest$ using $process$ risk_objects: - field: dest type: system @@ -94,6 +94,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_list_firewall_rules.log sourcetype: osquery:results source: osquery From b07142282d1e324972a31fce588112f9c6bb1388 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Thu, 13 Nov 2025 10:11:17 +0100 Subject: [PATCH 6/7] Delete detections/endpoint/macos_system_network_configuration_discovery.yml --- ...system_network_configuration_discovery.yml | 65 ------------------- 1 file changed, 65 deletions(-) delete mode 100644 detections/endpoint/macos_system_network_configuration_discovery.yml diff --git a/detections/endpoint/macos_system_network_configuration_discovery.yml b/detections/endpoint/macos_system_network_configuration_discovery.yml deleted file mode 100644 index efe2a7df3d..0000000000 --- a/detections/endpoint/macos_system_network_configuration_discovery.yml +++ /dev/null @@ -1,65 +0,0 @@ -name: MacOS System Network Configuration Discovery -id: 66945806-0891-4055-952f-ea11b7bc54dd -version: 1 -date: '2025-09-08' -author: Jamie Windley -status: production -type: Anomaly -description: This analytic detects the execution of common network configuration discovery commands on macOS systems. Specifically, it focuses on instances of `netstat -ant`, `arp -a`, and `ifconfig`. These utilities are often used for legitimate troubleshooting, but they are also frequently leveraged by adversaries during the reconnaissance phase to enumerate network interfaces, identify active connections, and discover other hosts within the same broadcast domain. Monitoring for the use of these commands, particularly when executed by unexpected users or during unusual time periods, can provide early warning of potentially malicious activity. -data_source: -- osquery -search: "| tstats `security_content_summariesonly` values(Processes.process) as process\ - \ values(Processes.parent_process) AS parent_process values(Processes.parent_process_exec)\ - \ AS parent_process_exec values(Processes.parent_process_id) AS parent_process_id\ - \ values(Processes.parent_process_name) AS parent_process_name values(Processes.parent_process_path)\ - \ AS parent_process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes\ - \ where Processes.process IN (\"netstat -ant\", \"arp -a\", \"ifconfig\") by Processes.action\ - \ Processes.dest Processes.process Processes.process_hash Processes.process_id Processes.process_name\ - \ Processes.process_path Processes.user Processes.vendor_product \n| `drop_dm_object_name(Processes)`\ - \ \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n\ - | `macos_system_network_configuration_discovery_filter`\n | `macos_system_network_configuration_discovery_filter`" -how_to_implement: Collection of process execution events from macOS endpoints is required. This can be achieved using osquery’s `es_process_events` table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp. -known_false_positives: These commands are commonly executed by system administrators, help desk personnel, monitoring agents, and diagnostic scripts as part of routine system maintenance. Security tools and network monitoring utilities may also invoke these commands for inventory or health check purposes. To reduce false positives, consider excluding events originating from trusted management hosts, known administrative accounts, or processes executed on a predictable schedule. -references: [] -drilldown_searches: -- name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" AND dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", - "$dest$") starthoursago=168 | stats count min(_time) - as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) - as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) - as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" - by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: MacOS system network configuration discovery command observed - risk_objects: - - field: dest - type: system - score: 6 - - field: user - type: user - score: 6 - threat_objects: [] -tags: - analytic_story: - - Network Discovery - asset_type: Endpoint - mitre_attack_id: - - T1016 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint - cve: [] -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/atomic_red_team/macos_net_discovery/macos_network_discovery.log - sourcetype: osquery:results - source: local_vm \ No newline at end of file From f8fb97e46b8fadc81f2f4367c8bfc17050353925 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Fri, 12 Dec 2025 15:45:10 +0100 Subject: [PATCH 7/7] Apply suggestions from code review --- detections/endpoint/macos_list_firewall_rules.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/detections/endpoint/macos_list_firewall_rules.yml b/detections/endpoint/macos_list_firewall_rules.yml index 2a5172dee2..165f0781dc 100644 --- a/detections/endpoint/macos_list_firewall_rules.yml +++ b/detections/endpoint/macos_list_firewall_rules.yml @@ -67,7 +67,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: MacOS firewall rules listed by $user$ on $dest$ using $process$ + message: MacOS firewall rules listed via $process$ by $user$ on $dest$ using $process$ risk_objects: - field: dest type: system @@ -80,6 +80,8 @@ rba: type: parent_process_name - field: process_name type: process_name + - field: process + type: process tags: analytic_story: - Network Discovery