diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 7e812ab2871..82f2815fda0 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 19403ba0533..36e49d8aed2 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 5722fd0236e..cbadd3c9f5c 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -282,5 +282,8 @@ "metrics-*": { "system.process.cpu.total.norm.pct": "double", "system.cpu.total.norm.pct": "double" + }, + "logs-unified_logs.log-*": { + "message": "keyword" } } diff --git a/rules/integrations/unified_logs/defense_evasion_xprotect_malware_scan_match.toml b/rules/integrations/unified_logs/defense_evasion_xprotect_malware_scan_match.toml new file mode 100644 index 00000000000..dd6f5aa3221 --- /dev/null +++ b/rules/integrations/unified_logs/defense_evasion_xprotect_malware_scan_match.toml @@ -0,0 +1,104 @@ +[metadata] +creation_date = "2026/03/23" +integration = ["unifiedlogs"] +maturity = "production" +updated_date = "2026/03/23" + +[rule] +author = ["Elastic"] +description = """ +Detects XProtect malware scan matches via the macOS Unified Logs `com.apple.XProtectFramework.PluginAPI` subsystem. +XProtect is Apple's built-in malware detection system that scans files using YARA-based signature rules. When a scan +produces a match, it indicates that a known malware signature was detected on the endpoint. While XProtect events are +rare, they are extremely high-confidence indicators of malicious software presence. This rule correlates XProtect scan +results with Elastic Security telemetry to provide additional context for investigation and response. This subsystem +does not require debug or private data enablement. +""" +false_positives = [ + """ + XProtect scan matches are high-confidence indicators and false positives are uncommon. However, legitimate + security research tools, penetration testing software, or sample files used in security training may trigger + XProtect signatures. Verify the detected file and its context before taking remediation action. + """, +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "XProtect Malware Scan Match Detected" +note = """## Triage and analysis + +### Investigating XProtect Malware Scan Match Detected + +This rule detects when Apple's XProtect framework identifies a malware signature match during a file scan. XProtect uses YARA-based rules maintained by Apple and is a strong indicator that known malware is present on the endpoint. + +### Possible investigation steps + +- Review the `message` field to identify the XProtect signature that matched and the scanned file details. +- Correlate with Elastic Defend telemetry to determine the full context: which process created or downloaded the flagged file, and what activity followed. +- Check if XProtect quarantined or blocked the file, or if the malware was able to execute. +- Look up the XProtect signature name against Apple's published XProtect rules or public malware databases for additional intelligence. +- Review the host for additional indicators of compromise, including persistence mechanisms, network connections, and other suspicious process activity. +- Check the file's origin — was it downloaded from the internet, received via email, or transferred from removable media? + +### False positive analysis + +- XProtect matches are high-confidence and rarely produce false positives. +- Security research samples or penetration testing tools may trigger legitimate detections. +- Archived or quarantined malware samples stored on disk could trigger scans. + +### Response and remediation + +- Immediately isolate the affected host if the malware is confirmed active. +- Verify XProtect's remediation action (quarantine, block, or allow) and take manual action if needed. +- Collect the flagged file for further analysis if not already quarantined. +- Review the infection vector and timeline to determine if other hosts may be affected. +- Check for post-compromise activity (lateral movement, data exfiltration, persistence). +""" +references = [ + "https://support.apple.com/en-us/102445", + "https://www.elastic.co/docs/reference/integrations/unifiedlogs", +] +risk_score = 73 +rule_id = "d33b49d6-dd67-4a5d-ad9a-c3437dffc487" +severity = "high" +tags = [ + "Domain: macOS", + "Data Source: macOS Unified Logs", + "Data Source: Unified Logs", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Defense Evasion", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index +| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND unified_log.subsystem == "com.apple.XProtectFramework.PluginAPI" + AND message LIKE "*match*" +| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, message +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + +[rule.investigation_fields] +field_names = [ + "host.name", + "host.id", + "message", + "unified_log.subsystem", + "event.dataset", + "process.name", + "process.executable", + "user.name", +] diff --git a/rules/integrations/unified_logs/persistence_login_item_persistence_execution_via_loginwindow.toml b/rules/integrations/unified_logs/persistence_login_item_persistence_execution_via_loginwindow.toml new file mode 100644 index 00000000000..4c89998c867 --- /dev/null +++ b/rules/integrations/unified_logs/persistence_login_item_persistence_execution_via_loginwindow.toml @@ -0,0 +1,109 @@ +[metadata] +creation_date = "2026/03/23" +integration = ["unifiedlogs"] +maturity = "production" +updated_date = "2026/03/23" + +[rule] +author = ["Elastic"] +description = """ +Detects login item persistence execution via the macOS Unified Logs `com.apple.loginwindow.logging` subsystem. The +`LoginItemsLauncher` message indicates that login items were launched during user login. Login items are a common +persistence mechanism used by macOS malware to ensure execution after system reboot. While many legitimate +applications register login items for auto-start behavior, unexpected or recently added login items warrant +investigation. This subsystem produces very low event volume with high signal fidelity, making it an effective +detection source. This rule operates at default log level and does not require debug or private data enablement. +""" +false_positives = [ + """ + Many legitimate applications register login items for auto-start behavior, including cloud storage clients + (Dropbox, Google Drive), communication tools (Slack, Teams), security software, and system utilities. Review + the launched application identity in the message field to determine if the login item is expected. + """, +] +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Login Item Persistence Execution via Unified Logs" +note = """## Triage and analysis + +### Investigating Login Item Persistence Execution via Unified Logs + +This rule detects the `LoginItemsLauncher` pattern from the `com.apple.loginwindow.logging` subsystem, which fires when login items are launched during user login. Login items persist across reboots and are a favored persistence mechanism for macOS malware. + +### Possible investigation steps + +- Review the `message` field to identify the application or script that was auto-launched at login. +- Correlate with Elastic Defend telemetry to determine the full process chain and binary details (code signature, path, hash). +- Check whether the login item was recently added by reviewing Login Items in System Settings or via `sfltool dumpbtm`. +- Look for other persistence mechanisms on the same host (LaunchAgents, LaunchDaemons, cron jobs) that may be part of the same attack chain. +- Check if the auto-launched application performs suspicious post-login activity (network connections, credential access, data collection). +- Review the host for recent software installations or modifications that could explain the new login item. + +### False positive analysis + +- Cloud storage sync clients (Dropbox, iCloud Drive, Google Drive) commonly register login items. +- Communication tools (Slack, Microsoft Teams, Discord) use login items for auto-start. +- Security and IT management software (antivirus, MDM agents) register login items. +- macOS system services and Apple applications may trigger this pattern during updates. + +### Response and remediation + +- If the login item is unrecognized, investigate its origin and remove it via System Settings > General > Login Items. +- Check for associated persistence files in `~/Library/LaunchAgents/`, `/Library/LaunchAgents/`, or the BackgroundTaskManagement database. +- If the login item is confirmed malicious, remove all associated files and persistence mechanisms. +- Review the host for additional indicators of compromise. +""" +references = [ + "https://www.elastic.co/docs/reference/integrations/unifiedlogs", + "https://developer.apple.com/documentation/servicemanagement/smappservice", +] +risk_score = 21 +rule_id = "e360db98-825c-4674-9dbc-0b3d42cc706f" +severity = "low" +tags = [ + "Domain: macOS", + "Data Source: macOS Unified Logs", + "Data Source: Unified Logs", + "Use Case: Threat Detection", + "Resources: Investigation Guide", + "Tactic: Persistence", + "Rule Type: BBR", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-unifiedlogs.unifiedlogs-* METADATA _id, _version, _index +| WHERE event.dataset == "unifiedlogs.log" AND host.os.type == "macos" AND unified_log.subsystem == "com.apple.loginwindow.logging" + AND message LIKE "*LoginItemsLauncher*" +| KEEP @timestamp, _id, _version, _index, host.name, host.id, host.os.type, event.dataset, unified_log.subsystem, unified_log.category, message +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1547" +name = "Boot or Logon Autostart Execution" +reference = "https://attack.mitre.org/techniques/T1547/" +[[rule.threat.technique.subtechnique]] +id = "T1547.015" +name = "Login Items" +reference = "https://attack.mitre.org/techniques/T1547/015/" + +[rule.threat.tactic] +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/" + +[rule.investigation_fields] +field_names = [ + "host.name", + "host.id", + "message", + "unified_log.subsystem", + "event.dataset", + "process.name", + "process.executable", + "user.name", +]