From ecdc93cdf00872d822db0b9ae134c8f14cd19616 Mon Sep 17 00:00:00 2001
From: D4rkCiph3r <102921060+D4rkCiph3r@users.noreply.github.com>
Date: Tue, 21 Feb 2023 11:12:02 +0530
Subject: [PATCH] Update proc_creation_macos_enable_root_account.yml

Corrected the condition and selection's naming
---
 .../proc_creation_macos_enable_root_account.yml      | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/rules/macos/process_creation/proc_creation_macos_enable_root_account.yml b/rules/macos/process_creation/proc_creation_macos_enable_root_account.yml
index a9b588215..e24ef89ef 100644
--- a/rules/macos/process_creation/proc_creation_macos_enable_root_account.yml
+++ b/rules/macos/process_creation/proc_creation_macos_enable_root_account.yml
@@ -20,22 +20,22 @@ logsource:
     category: process_creation
     product: macos
 detection:
-    selection_dscl:
+    selection_ds_cl:
         Image|endswith: '/dscl'
-        CommandLine|contains:
+        CommandLine|contains|all:
             - '-append' #appends the user
             - '/Groups/admin'
-    selection_dseditgroup:
+    selection_ds_editgroup:
         Image|endswith: '/dseditgroup'
         CommandLine|contains|all:
             - '-a' #name of the record(username)
             - '-t' #type of the record(usergroup)
             - 'admin'
-    selection_dsenableroot:
+    selection_root:
         Image|endswith: '/dsenableroot'
-    filter:
+    filter_root:
         CommandLine|contains: ' -d '
-    condition: (selection_dsenableroot and not filter) or 1 of selection*
+    condition: (selection_root and not filter_root) or 1 of selection_ds_*
 falsepositives:
     - Unknown
 level: medium