security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e5cd850640355a32f4cfeaac0355b32477b80098
blue-team-tools/rules/linux/macos_screencapture.yml
T

23 lines
708 B
YAML
Raw Normal View History

adding macos screencapture rule
2020-10-14 00:51:55 -05:00
title: Screen Capture - macOS
fixing UUID and description
2020-10-14 00:54:51 -05:00
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
adding macos screencapture rule
2020-10-14 00:51:55 -05:00
status: experimental
fixing UUID and description
2020-10-14 00:54:51 -05:00
description: Detects attempts to use screencapture to collect macOS screenshots
adding macos screencapture rule
2020-10-14 00:51:55 -05:00
author: remotephone, oscd.community
date: 2020/10/13
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
- https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
logsource:
product: macos
category: process_creation
detection:
updated syntax a bit to re-run the test
2020-10-20 19:06:23 +02:00
selection:
Renamed ProcessName field to Image for the process_creation category.
2021-02-25 01:57:26 +03:00
Image: '/usr/sbin/screencapture'
updated syntax a bit to re-run the test
2020-10-20 19:06:23 +02:00
condition: selection
adding macos screencapture rule
2020-10-14 00:51:55 -05:00
falsepositives:
- Legitimate user activity taking screenshots
level: low
tags:
- attack.collection
- attack.t1113
Reference in New Issue Copy Permalink