diff --git a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml index 0c554bba2..7c10bd097 100644 --- a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml +++ b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml @@ -4,22 +4,22 @@ status: experimental description: Detects deletion of local audit logs author: remotephone, oscd.community date: 2020/10/11 -modified: 2021/11/11 +modified: 2022/07/07 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md logsource: product: macos category: process_creation detection: selection1: Image|endswith: '/rm' - selection2: + selection_cli_1: CommandLine|contains: '/var/log' - selection3: + selection_cli_2: CommandLine|contains|all: - '/Users/' - '/Library/Logs/' - condition: selection1 and (selection2 or selection3) + condition: selection1 and 1 of selection_cli* falsepositives: - Legitimate administration activities level: medium diff --git a/rules/macos/process_creation/proc_creation_macos_create_account.yml b/rules/macos/process_creation/proc_creation_macos_create_account.yml index a000b5eb8..271f62d79 100644 --- a/rules/macos/process_creation/proc_creation_macos_create_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_create_account.yml @@ -4,20 +4,20 @@ status: test description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md date: 2020/10/06 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection: - Image|endswith: '/dscl' - CommandLine|contains: 'create' - condition: selection + selection: + Image|endswith: '/dscl' + CommandLine|contains: 'create' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low tags: - - attack.t1136.001 - - attack.persistence + - attack.t1136.001 + - attack.persistence diff --git a/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml b/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml index c4159b43a..fe22a43de 100644 --- a/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_file_and_directory_discovery.yml @@ -4,29 +4,29 @@ status: test description: Detects usage of system utilities to discover files and directories author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md date: 2020/10/19 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - select_file_with_asterisk: - Image: '/usr/bin/file' - CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline - select_recursive_ls: - Image: '/bin/ls' - CommandLine|contains: '-R' - select_find_execution: - Image: '/usr/bin/find' - select_mdfind_execution: - Image: '/usr/bin/mdfind' - select_tree_execution|endswith: - Image: '/tree' - condition: 1 of select* + select_file_with_asterisk: + Image: '/usr/bin/file' + CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline + select_recursive_ls: + Image: '/bin/ls' + CommandLine|contains: '-R' + select_find_execution: + Image: '/usr/bin/find' + select_mdfind_execution: + Image: '/usr/bin/mdfind' + select_tree_execution|endswith: + Image: '/tree' + condition: 1 of select* falsepositives: - - Legitimate activities + - Legitimate activities level: informational tags: - - attack.discovery - - attack.t1083 + - attack.discovery + - attack.t1083 diff --git a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml index ae273c242..dee30b3b7 100644 --- a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml +++ b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml @@ -4,22 +4,22 @@ status: test description: 'Detecting attempts to extract passwords with grep and laZagne' author: 'Igor Fits, Mikhail Larin, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md date: 2020/10/19 modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: - Image|endswith: '/grep' - CommandLine|contains: 'password' - selection2: - CommandLine|contains: 'laZagne' - condition: selection1 or selection2 + selection1: + Image|endswith: '/grep' + CommandLine|contains: 'password' + selection2: + CommandLine|contains: 'laZagne' + condition: 1 of selection* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.credential_access - - attack.t1552.001 + - attack.credential_access + - attack.t1552.001 diff --git a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml index ac814a811..de8870257 100644 --- a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml +++ b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml @@ -6,7 +6,7 @@ author: remotephone, oscd.community date: 2020/10/13 modified: 2021/12/02 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ logsource: product: macos diff --git a/rules/macos/process_creation/proc_creation_macos_local_account.yml b/rules/macos/process_creation/proc_creation_macos_local_account.yml index 75dd152ca..46dd1cb9c 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_account.yml @@ -4,39 +4,39 @@ status: test description: Detects enumeration of local systeam accounts on MacOS author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md date: 2020/10/08 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection_1: - Image|endswith: '/dscl' - CommandLine|contains|all: - - 'list' - - '/users' - selection_2: - Image|endswith: '/dscacheutil' - CommandLine|contains|all: - - '-q' - - 'user' - selection_3: - CommandLine|contains: '''x:0:''' - selection_4: - Image|endswith: '/cat' - CommandLine|contains: - - '/etc/passwd' - - '/etc/sudoers' - selection_5: - Image|endswith: '/id' - selection_6: - Image|endswith: '/lsof' - CommandLine|contains: '-u' - condition: 1 of selection* + selection_1: + Image|endswith: '/dscl' + CommandLine|contains|all: + - 'list' + - '/users' + selection_2: + Image|endswith: '/dscacheutil' + CommandLine|contains|all: + - '-q' + - 'user' + selection_3: + CommandLine|contains: '''x:0:''' + selection_4: + Image|endswith: '/cat' + CommandLine|contains: + - '/etc/passwd' + - '/etc/sudoers' + selection_5: + Image|endswith: '/id' + selection_6: + Image|endswith: '/lsof' + CommandLine|contains: '-u' + condition: 1 of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low tags: - - attack.discovery - - attack.t1087.001 + - attack.discovery + - attack.t1087.001 diff --git a/rules/macos/process_creation/proc_creation_macos_local_groups.yml b/rules/macos/process_creation/proc_creation_macos_local_groups.yml index 4701c17c3..beea8c8b1 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_groups.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_groups.yml @@ -4,30 +4,30 @@ status: test description: Detects enumeration of local system groups author: Ömer Günal, Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md date: 2020/10/11 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection_1: - Image|endswith: '/dscacheutil' - CommandLine|contains|all: - - '-q' - - 'group' - selection_2: - Image|endswith: '/cat' - CommandLine|contains: '/etc/group' - selection_3: - Image|endswith: '/dscl' - CommandLine|contains|all: - - '-list' - - '/groups' - condition: 1 of selection* + selection_1: + Image|endswith: '/dscacheutil' + CommandLine|contains|all: + - '-q' + - 'group' + selection_2: + Image|endswith: '/cat' + CommandLine|contains: '/etc/group' + selection_3: + Image|endswith: '/dscl' + CommandLine|contains|all: + - '-list' + - '/groups' + condition: 1 of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: informational tags: - - attack.discovery - - attack.t1069.001 + - attack.discovery + - attack.t1069.001 diff --git a/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml b/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml index fc2e432c9..87b15c562 100644 --- a/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml +++ b/rules/macos/process_creation/proc_creation_macos_network_service_scanning.yml @@ -4,27 +4,27 @@ status: test description: Detects enumeration of local or remote network services. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md date: 2020/10/21 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection_1: - Image|endswith: - - '/nc' - - '/netcat' - selection_2: - Image|endswith: - - '/nmap' - - '/telnet' - filter: - CommandLine|contains: 'l' - condition: (selection_1 and not filter) or selection_2 + selection_1: + Image|endswith: + - '/nc' + - '/netcat' + selection_2: + Image|endswith: + - '/nmap' + - '/telnet' + filter: + CommandLine|contains: 'l' + condition: (selection_1 and not filter) or selection_2 falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low tags: - - attack.discovery - - attack.t1046 + - attack.discovery + - attack.t1046 diff --git a/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml b/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml index dd0ae18f3..8a15ba102 100644 --- a/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml +++ b/rules/macos/process_creation/proc_creation_macos_network_sniffing.yml @@ -4,22 +4,22 @@ status: test description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md date: 2020/10/14 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection: - Image|endswith: - - '/tcpdump' - - '/tshark' - condition: selection + selection: + Image|endswith: + - '/tcpdump' + - '/tshark' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: informational tags: - - attack.discovery - - attack.credential_access - - attack.t1040 + - attack.discovery + - attack.credential_access + - attack.t1040