From 418a9d5a024c2bd48843250301a451f4841fbc6a Mon Sep 17 00:00:00 2001 From: Alejandro Ortuno Date: Sun, 11 Oct 2020 09:37:08 +0200 Subject: [PATCH] Use endswith with processname --- rules/linux/lnx_local_account.yml | 8 ++++---- rules/linux/macos_local_account.yml | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml index 82e8b9eac..3026984cd 100644 --- a/rules/linux/lnx_local_account.yml +++ b/rules/linux/lnx_local_account.yml @@ -11,22 +11,22 @@ logsource: product: linux detection: selection_1: - ProcessName|contains: + ProcessName|endswith: - '*/lastlog' selection_2: CommandLine|contains: - "'x:0:'" selection_3: - ProcessName|contains: + ProcessName|endswith: - '*/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_4: - ProcessName|contains: + ProcessName|endswith: - '*/id' selection_5: - ProcessName|contains: + ProcessName|endswith: - '*/lsof' CommandLine|contains: - '-u' diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml index 3f4e84b0d..db2b6b588 100644 --- a/rules/linux/macos_local_account.yml +++ b/rules/linux/macos_local_account.yml @@ -11,12 +11,12 @@ logsource: product: macos detection: selection_1: - ProcessName|contains: + ProcessName|endswith: - '*/dscl' CommandLine|contains: - '. list /users' selection_2: - ProcessName|contains: + ProcessName|endswith: - '*/dscacheutil' CommandLine|contains: - '-q user' @@ -24,16 +24,16 @@ detection: CommandLine|contains: - "'x:0:'" selection_4: - ProcessName|contains: + ProcessName|endswith: - '*/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_5: - ProcessName|contains: + ProcessName|endswith: - '*/id' selection_6: - ProcessName|contains: + ProcessName|endswith: - '*/lsof' CommandLine|contains: - '-u'