security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
15,863 Commits 1 Branch 57 Tags
871f41df73e68fc6b16403b3f8a53bbc8b2cd8eb
Commit Graph

91 Commits

Author SHA1 Message Date
phantinuss 2a2db295ce Merge pull request #4155 from D4rkCiph3r/patch-5 
Update proc_creation_macos_add_to_admin_group.yml
 2023-08-23 08:57:45 +02:00
phantinuss ea5db35a52 Merge pull request #4127 from D4rkCiph3r/in-memory-payload 
Create proc_creation_macos_in-memory_payload_transfer.yml
 2023-08-23 08:57:23 +02:00
Nasreddine Bencherchali d53f063141 feat: update metadata 2023-08-22 18:22:05 +02:00
Nasreddine Bencherchali 32800437c9 Update proc_creation_macos_dseditgroup_add_to_admin_group.yml 2023-08-22 17:55:17 +02:00
Nasreddine Bencherchali 0f1f792ef9 chore: split rules 2023-08-22 17:48:06 +02:00
Nasreddine Bencherchali 68f843ce2c Merge pull request #4300 from gr00T0x/jamf 
feat: add rules related to jamf usage and potential abuse
 2023-08-22 15:38:35 +02:00
Nasreddine Bencherchali 7881df8591 Merge pull request #4055 from D4rkCiph3r/root_enable 
feat: add new to enable root account via dsenableroot
 2023-08-22 15:10:26 +02:00
Nasreddine Bencherchali ae71649ff5 Update rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml 2023-08-22 15:09:42 +02:00
phantinuss 785ea520dd fix: wording 2023-08-22 14:56:25 +02:00
phantinuss 9cb0c4d1ac fix: wording 2023-08-22 14:55:30 +02:00
Nasreddine Bencherchali b14769e684 feat: update metadata & logic 2023-08-22 14:34:20 +02:00
Nasreddine Bencherchali 4e75c3b2dc feat: update detection & metadata 2023-08-22 13:51:14 +02:00
gr00t fe26aabf6a Update proc_creation_macos_usage_of_jamf.yml 2023-06-08 12:43:54 +01:00
gr00t 97cb0ad683 Create proc_creation_macos_usage_of_jamf.yml 2023-06-07 16:46:36 +01:00
D4rkCiph3r e32b39d855 feat: new macos rule Suspicious Browser Child Process (#4053) 2023-04-05 14:58:09 +02:00
D4rkCiph3r 5d1130262f feat: new rule proc_creation_macos_suspicious_applet_behaviour.yml (#4126) 2023-04-03 12:27:17 +02:00
D4rkCiph3r 3662498137 Update proc_creation_macos_add_to_admin_group.yml 2023-03-30 11:34:38 +05:30
D4rkCiph3r 401c147f70 Update proc_creation_macos_enable_root_account.yml 2023-03-30 11:33:57 +05:30
D4rkCiph3r f6a78028d1 Update proc_creation_macos_enable_root_account.yml 
Removed a couple of detections, as I have moved them over to this rule "proc_creation_macos_add_to_admin_group".
 2023-03-30 11:32:53 +05:30
D4rkCiph3r 6a9d887c47 Update proc_creation_macos_add_to_admin_group.yml 
Restructured another detection from this rule "proc_creation_macos_enable_root_account.yml"(PR Pending) to here.
 2023-03-30 11:26:52 +05:30
D4rkCiph3r da468ec37a feat: new rule proc_creation_macos_add_to_admin_group.yml (#4121) 2023-03-21 11:29:42 +01:00
D4rkCiph3r 24432424c0 Rename proc_creation_macos_in-memory_payload_transfer.yml to proc_creation_macos_ingress_payload_transfer.yml 
Updated filename as per test run failure
 2023-03-20 23:35:32 +05:30
D4rkCiph3r f4b0264a83 Create proc_creation_macos_in-memory_payload_transfer.yml 2023-03-20 23:21:36 +05:30
Nasreddine Bencherchali 137dcbcc50 feat: more updates and fixes 2023-02-28 15:22:25 +01:00
phantinuss db4fb9ff8e Merge pull request #4056 from D4rkCiph3r/installer-child 
Create proc_creation_macos_susp_installer_child_process.yml
 2023-02-22 09:04:58 +01:00
Nasreddine Bencherchali 275748b671 fix: add missing space + rename file 2023-02-21 23:29:47 +01:00
Nasreddine Bencherchali 8220d9b5b2 fix: add slash to image field 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
 2023-02-21 23:17:09 +01:00
D4rkCiph3r ecdc93cdf0 Update proc_creation_macos_enable_root_account.yml 
Corrected the condition and selection's naming
 2023-02-21 11:12:02 +05:30
D4rkCiph3r 848a64fa69 Create proc_creation_macos_persistence_via_plistbuddy.yml (#4057) 2023-02-20 14:15:31 +01:00
D4rkCiph3r d0af939108 Create proc_creation_macos_enable_guest_account.yml (#4054) 2023-02-20 14:13:52 +01:00
D4rkCiph3r f9a73c7a79 Update proc_creation_macos_create_account.yml (#4052) 2023-02-20 14:13:06 +01:00
D4rkCiph3r 97e2717343 Update proc_creation_macos_susp_installer_child_process.yml 
Updated the selection syntax
 2023-02-20 18:19:43 +05:30
D4rkCiph3r b3154cf465 Update proc_creation_macos_enable_root_account.yml 
Updated the selections and condition as suggested.
 2023-02-20 18:14:51 +05:30
frack113 cd16dff85d Update rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml 2023-02-20 06:32:47 +01:00
D4rkCiph3r c016748316 Update proc_creation_macos_susp_installer_child_process.yml 2023-02-18 19:10:01 +05:30
D4rkCiph3r cc5bce2035 Create proc_creation_macos_susp_installer_child_process.yml 
Summary of the Pull Request:
The pull request adds a new rule for macOS (T1059, T1059.007, T1071, T1071.001)

Detailed Description of the Pull Request / Additional comments:
The rule helps detect the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters. The legitimate softwares also use scripts(preinstall and postinstall). Baselining or application allow-listing monitoring helps reduce the false positives

Example Log Event (In Case of FP Fixes)
NA

Relevant Issues (In Case of Issue Fixes)
NA
 2023-02-18 19:04:22 +05:30
D4rkCiph3r f275a6a3cd Create proc_creation_macos_enable_root_account.yml 
Summary of the Pull Request:
The pull request adds a new rule for macOS (T1078, T1078.001)

Detailed Description of the Pull Request / Additional comments: 
The rule helps detect attempts to enable/add an account to the admin group, thus granting the root privilege using various utilities such as dsenableroot, dseditgroup and dscl

Example Log Event (In Case of FP Fixes)
NA

Relevant Issues (In Case of Issue Fixes)
NA
 2023-02-18 18:20:18 +05:30
Nasreddine Bencherchali 2ae212f5ab fix: remove unnecessary filter 2023-02-17 21:36:54 +01:00
D4rkCiph3r c965a8dca0 Update proc_creation_macos_binary_padding.yml 
Updated the modified field
reference link is same, I have a PR in ART Repo for the same, which is yet to be verified, maybe if it's allowed the man pages of "truncate" and "dd" can be referenced
Discarding the filter, there should either be "of="(output file) or a redirection or append symbol
 2023-02-17 23:16:28 +05:30
D4rkCiph3r 45ff572bd2 Update proc_creation_macos_binary_padding.yml 
Minor changes
 2023-02-17 18:22:26 +05:30
D4rkCiph3r afc6198da8 Update proc_creation_macos_binary_padding.yml 
Few minor changes, increasing the precision of the rule and reducing the possible false positives.
 2023-02-17 18:05:55 +05:30
Nasreddine Bencherchali 0795ed6469 feat: additional updates and fixes 2023-02-04 21:06:47 +01:00
frack113 9ad58353a7 Update from review 2023-02-01 18:30:45 +01:00
frack113 c1ef84fd66 Merge remote-tracking branch 'upstream/master' into pr/3989 2023-02-01 18:27:51 +01:00
frack113 3d8b82805c Merge pull request #3992 from D4rkCiph3r/osacompile 
Create proc_creation_macos_osacompile_run-only_execution.yml
 2023-02-01 18:17:00 +01:00
frack113 f121041cf0 Merge pull request #3991 from D4rkCiph3r/macro-osa 
Create proc_creation_macos_macros_execution.yml
 2023-02-01 18:16:23 +01:00
Nasreddine Bencherchali 55f16c3f84 fix: update metadata and logic 2023-02-01 17:45:01 +01:00
Nasreddine Bencherchali d8b17f1d9f fix: add ref and update description 2023-02-01 17:23:36 +01:00
Nasreddine Bencherchali 0cddb6194c Merge pull request #3993 from D4rkCiph3r/patch-1 
feat: add new extension to osascript rule
 2023-02-01 17:22:08 +01:00
Nasreddine Bencherchali 04227055e4 fix: add reference 2023-02-01 17:15:10 +01:00