security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/linux/macos/process_creation/proc_creation_macos_screencapture.yml
T

24 lines
699 B
YAML
Raw Normal View History

adding macos screencapture rule
2020-10-14 00:51:55 -05:00
title: Screen Capture - macOS
fixing UUID and description
2020-10-14 00:54:51 -05:00
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
Change status for old rules
2021-11-27 11:33:14 +01:00
status: test
fixing UUID and description
2020-10-14 00:54:51 -05:00
description: Detects attempts to use screencapture to collect macOS screenshots
adding macos screencapture rule
2020-10-14 00:51:55 -05:00
author: remotephone, oscd.community
references:
Change status for old rules
2021-11-27 11:33:14 +01:00
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md
- https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py
date: 2020/10/13
modified: 2021/11/27
adding macos screencapture rule
2020-10-14 00:51:55 -05:00
logsource:
Change status for old rules
2021-11-27 11:33:14 +01:00
product: macos
category: process_creation
adding macos screencapture rule
2020-10-14 00:51:55 -05:00
detection:
Change status for old rules
2021-11-27 11:33:14 +01:00
selection:
Image: '/usr/sbin/screencapture'
condition: selection
adding macos screencapture rule
2020-10-14 00:51:55 -05:00
falsepositives:
Change status for old rules
2021-11-27 11:33:14 +01:00
- Legitimate user activity taking screenshots
adding macos screencapture rule
2020-10-14 00:51:55 -05:00
level: low
tags:
Change status for old rules
2021-11-27 11:33:14 +01:00
- attack.collection
- attack.t1113
Reference in New Issue Copy Permalink