legitimate webproxy settings modification

t1539
macos
elastic

Techniques

T1539

Sample rules

WebProxy Settings Modification

source: elastic
technicques:
- T1539

Description

Identifies the use of the built-in networksetup command to configure webproxy settings. This may indicate an attempt to hijack web browser traffic for credential access via traffic sniffing or redirection.

Detection logic

process where host.os.type == "macos" and event.type in ("start", "process_started") and event.action == "exec" and
 process.name == "networksetup" and process.args like~ ("-setwebproxy", "-setsecurewebproxy", "-setautoproxyurl") and
 (process.parent.name like~ ("osascript", "bash", "sh", "zsh", "Terminal", "Python*") or (process.parent.code_signature.exists == false or process.parent.code_signature.trusted == false))