Update 2

rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml

@@ -4,22 +4,22 @@ status: experimental
 description: Detects deletion of local audit logs
 author: remotephone, oscd.community
 date: 2020/10/11
-modified: 2021/11/11
+modified: 2022/07/07
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md
 logsource:
     product: macos
     category: process_creation
 detection:
     selection1:
         Image|endswith: '/rm'
-    selection2:
+    selection_cli_1:
         CommandLine|contains: '/var/log'
-    selection3:
+    selection_cli_2:
         CommandLine|contains|all:
             - '/Users/'
             - '/Library/Logs/'
-    condition: selection1 and (selection2 or selection3)
+    condition: selection1 and 1 of selection_cli*
 falsepositives:
     - Legitimate administration activities
 level: medium

rules/macos/process_creation/proc_creation_macos_create_account.yml

@@ -4,20 +4,20 @@ status: test
 description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
 author: Alejandro Ortuno, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
 date: 2020/10/06
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: macos
+    category: process_creation
+    product: macos
 detection:
-  selection:
-    Image|endswith: '/dscl'
-    CommandLine|contains: 'create'
-  condition: selection
+    selection:
+        Image|endswith: '/dscl'
+        CommandLine|contains: 'create'
+    condition: selection
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: low
 tags:
-  - attack.t1136.001
-  - attack.persistence
+    - attack.t1136.001
+    - attack.persistence

rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml

@@ -4,29 +4,29 @@ status: test
 description: Detects usage of system utilities to discover files and directories
 author: Daniil Yugoslavskiy, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
 date: 2020/10/19
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: macos
+    category: process_creation
+    product: macos
 detection:
-  select_file_with_asterisk:
-    Image: '/usr/bin/file'
-    CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
-  select_recursive_ls:
-    Image: '/bin/ls'
-    CommandLine|contains: '-R'
-  select_find_execution:
-    Image: '/usr/bin/find'
-  select_mdfind_execution:
-    Image: '/usr/bin/mdfind'
-  select_tree_execution|endswith:
-    Image: '/tree'
-  condition: 1 of select*
+    select_file_with_asterisk:
+        Image: '/usr/bin/file'
+        CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
+    select_recursive_ls:
+        Image: '/bin/ls'
+        CommandLine|contains: '-R'
+    select_find_execution:
+        Image: '/usr/bin/find'
+    select_mdfind_execution:
+        Image: '/usr/bin/mdfind'
+    select_tree_execution|endswith:
+        Image: '/tree'
+    condition: 1 of select*
 falsepositives:
-  - Legitimate activities
+    - Legitimate activities
 level: informational
 tags:
-  - attack.discovery
-  - attack.t1083
+    - attack.discovery
+    - attack.t1083

rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml

@@ -4,22 +4,22 @@ status: test
 description: 'Detecting attempts to extract passwords with grep and laZagne'
 author: 'Igor Fits, Mikhail Larin, oscd.community'
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+  - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
 date: 2020/10/19
 modified: 2021/11/27
 logsource:
-  product: macos
-  category: process_creation
+    product: macos
+    category: process_creation
 detection:
-  selection1:
-    Image|endswith: '/grep'
-    CommandLine|contains: 'password'
-  selection2:
-    CommandLine|contains: 'laZagne'
-  condition: selection1 or selection2
+    selection1:
+        Image|endswith: '/grep'
+        CommandLine|contains: 'password'
+    selection2:
+        CommandLine|contains: 'laZagne'
+    condition: 1 of selection*
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.credential_access
-  - attack.t1552.001
+    - attack.credential_access
+    - attack.t1552.001

rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml

@@ -6,7 +6,7 @@ author: remotephone, oscd.community
 date: 2020/10/13
 modified: 2021/12/02
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md
     - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
 logsource:
     product: macos

rules/macos/process_creation/proc_creation_macos_local_account.yml

@@ -4,39 +4,39 @@ status: test
 description: Detects enumeration of local systeam accounts on MacOS
 author: Alejandro Ortuno, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
 date: 2020/10/08
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: macos
+    category: process_creation
+    product: macos
 detection:
-  selection_1:
-    Image|endswith: '/dscl'
-    CommandLine|contains|all:
-      - 'list'
-      - '/users'
-  selection_2:
-    Image|endswith: '/dscacheutil'
-    CommandLine|contains|all:
-      - '-q'
-      - 'user'
-  selection_3:
-    CommandLine|contains: '''x:0:'''
-  selection_4:
-    Image|endswith: '/cat'
-    CommandLine|contains:
-      - '/etc/passwd'
-      - '/etc/sudoers'
-  selection_5:
-    Image|endswith: '/id'
-  selection_6:
-    Image|endswith: '/lsof'
-    CommandLine|contains: '-u'
-  condition: 1 of selection*
+    selection_1:
+        Image|endswith: '/dscl'
+        CommandLine|contains|all:
+            - 'list'
+            - '/users'
+    selection_2:
+        Image|endswith: '/dscacheutil'
+        CommandLine|contains|all:
+            - '-q'
+            - 'user'
+    selection_3:
+        CommandLine|contains: '''x:0:'''
+    selection_4:
+        Image|endswith: '/cat'
+        CommandLine|contains:
+            - '/etc/passwd'
+            - '/etc/sudoers'
+    selection_5:
+        Image|endswith: '/id'
+    selection_6:
+        Image|endswith: '/lsof'
+        CommandLine|contains: '-u'
+    condition: 1 of selection*
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: low
 tags:
-  - attack.discovery
-  - attack.t1087.001
+    - attack.discovery
+    - attack.t1087.001

rules/macos/process_creation/proc_creation_macos_local_groups.yml

@@ -4,30 +4,30 @@ status: test
 description: Detects enumeration of local system groups
 author: Ömer Günal, Alejandro Ortuno, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
 date: 2020/10/11
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: macos
+    category: process_creation
+    product: macos
 detection:
-  selection_1:
-    Image|endswith: '/dscacheutil'
-    CommandLine|contains|all:
-      - '-q'
-      - 'group'
-  selection_2:
-    Image|endswith: '/cat'
-    CommandLine|contains: '/etc/group'
-  selection_3:
-    Image|endswith: '/dscl'
-    CommandLine|contains|all:
-      - '-list'
-      - '/groups'
-  condition: 1 of selection*
+    selection_1:
+        Image|endswith: '/dscacheutil'
+        CommandLine|contains|all:
+            - '-q'
+            - 'group'
+    selection_2:
+        Image|endswith: '/cat'
+        CommandLine|contains: '/etc/group'
+    selection_3:
+        Image|endswith: '/dscl'
+        CommandLine|contains|all:
+            - '-list'
+            - '/groups'
+    condition: 1 of selection*
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: informational
 tags:
-  - attack.discovery
-  - attack.t1069.001
+    - attack.discovery
+    - attack.t1069.001

rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml

@@ -4,27 +4,27 @@ status: test
 description: Detects enumeration of local or remote network services.
 author: Alejandro Ortuno, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md
 date: 2020/10/21
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: macos
+    category: process_creation
+    product: macos
 detection:
-  selection_1:
-    Image|endswith:
-      - '/nc'
-      - '/netcat'
-  selection_2:
-    Image|endswith:
-      - '/nmap'
-      - '/telnet'
-  filter:
-    CommandLine|contains: 'l'
-  condition: (selection_1 and not filter) or selection_2
+    selection_1:
+        Image|endswith:
+            - '/nc'
+            - '/netcat'
+    selection_2:
+        Image|endswith:
+            - '/nmap'
+            - '/telnet'
+    filter:
+        CommandLine|contains: 'l'
+    condition: (selection_1 and not filter) or selection_2
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: low
 tags:
-  - attack.discovery
-  - attack.t1046
+    - attack.discovery
+    - attack.t1046

rules/macos/process_creation/proc_creation_macos_network_sniffing.yml

@@ -4,22 +4,22 @@ status: test
 description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 author: Alejandro Ortuno, oscd.community
 references:
-  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
 date: 2020/10/14
 modified: 2021/11/27
 logsource:
-  category: process_creation
-  product: macos
+    category: process_creation
+    product: macos
 detection:
-  selection:
-    Image|endswith:
-      - '/tcpdump'
-      - '/tshark'
-  condition: selection
+    selection:
+        Image|endswith:
+            - '/tcpdump'
+            - '/tshark'
+    condition: selection
 falsepositives:
-  - Legitimate administration activities
+    - Legitimate administration activities
 level: informational
 tags:
-  - attack.discovery
-  - attack.credential_access
-  - attack.t1040
+    - attack.discovery
+    - attack.credential_access
+    - attack.t1040