Techniques
Sample rules
WebProxy Settings Modification
- source: elastic
- technicques:
- T1539
Description
Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.
Detection logic
process where host.os.type == "macos" and event.type in ("start", "process_started") and event.action == "exec" and
process.name == "networksetup" and process.args like~ ("-setwebproxy", "-setsecurewebproxy", "-setautoproxyurl") and
(process.parent.name like~ ("osascript", "bash", "sh", "zsh", "Terminal", "Python*") or (process.parent.code_signature.exists == false or process.parent.code_signature.trusted == false))