Update proc_creation_macos_enable_root_account.yml

Corrected the condition and selection's naming
2023-02-21 11:12:02 +05:30
parent b3154cf465
commit ecdc93cdf0
1 changed files with 6 additions and 6 deletions
@@ -20,22 +20,22 @@ logsource:
    category: process_creation
    product: macos
 detection:
-    selection_dscl:
+    selection_ds_cl:
        Image|endswith: '/dscl'
-        CommandLine|contains:
+        CommandLine|contains|all:
            - '-append' #appends the user
            - '/Groups/admin'
-    selection_dseditgroup:
+    selection_ds_editgroup:
        Image|endswith: '/dseditgroup'
        CommandLine|contains|all:
            - '-a' #name of the record(username)
            - '-t' #type of the record(usergroup)
            - 'admin'
-    selection_dsenableroot:
+    selection_root:
        Image|endswith: '/dsenableroot'
-    filter:
+    filter_root:
        CommandLine|contains: ' -d '
-    condition: (selection_dsenableroot and not filter) or 1 of selection*
+    condition: (selection_root and not filter_root) or 1 of selection_ds_*
 falsepositives:
    - Unknown
 level: medium