e32b39d855
feat: new macos rule Suspicious Browser Child Process ( #4053 )
2023-04-05 14:58:09 +02:00
5d1130262f
feat: new rule proc_creation_macos_suspicious_applet_behaviour.yml ( #4126 )
2023-04-03 12:27:17 +02:00
da468ec37a
feat: new rule proc_creation_macos_add_to_admin_group.yml ( #4121 )
2023-03-21 11:29:42 +01:00
137dcbcc50
feat: more updates and fixes
2023-02-28 15:22:25 +01:00
db4fb9ff8e
Merge pull request #4056 from D4rkCiph3r/installer-child
...
Create proc_creation_macos_susp_installer_child_process.yml
2023-02-22 09:04:58 +01:00
275748b671
fix: add missing space + rename file
2023-02-21 23:29:47 +01:00
8220d9b5b2
fix: add slash to image field
...
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com >
2023-02-21 23:17:09 +01:00
848a64fa69
Create proc_creation_macos_persistence_via_plistbuddy.yml ( #4057 )
2023-02-20 14:15:31 +01:00
d0af939108
Create proc_creation_macos_enable_guest_account.yml ( #4054 )
2023-02-20 14:13:52 +01:00
f9a73c7a79
Update proc_creation_macos_create_account.yml ( #4052 )
2023-02-20 14:13:06 +01:00
97e2717343
Update proc_creation_macos_susp_installer_child_process.yml
...
Updated the selection syntax
2023-02-20 18:19:43 +05:30
cd16dff85d
Update rules/macos/process_creation/proc_creation_macos_susp_installer_child_process.yml
2023-02-20 06:32:47 +01:00
c016748316
Update proc_creation_macos_susp_installer_child_process.yml
2023-02-18 19:10:01 +05:30
cc5bce2035
Create proc_creation_macos_susp_installer_child_process.yml
...
Summary of the Pull Request:
The pull request adds a new rule for macOS (T1059, T1059.007, T1071, T1071.001)
Detailed Description of the Pull Request / Additional comments:
The rule helps detect the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters. The legitimate softwares also use scripts(preinstall and postinstall). Baselining or application allow-listing monitoring helps reduce the false positives
Example Log Event (In Case of FP Fixes)
NA
Relevant Issues (In Case of Issue Fixes)
NA
2023-02-18 19:04:22 +05:30
2ae212f5ab
fix: remove unnecessary filter
2023-02-17 21:36:54 +01:00
c965a8dca0
Update proc_creation_macos_binary_padding.yml
...
Updated the modified field
reference link is same, I have a PR in ART Repo for the same, which is yet to be verified, maybe if it's allowed the man pages of "truncate" and "dd" can be referenced
Discarding the filter, there should either be "of="(output file) or a redirection or append symbol
2023-02-17 23:16:28 +05:30
45ff572bd2
Update proc_creation_macos_binary_padding.yml
...
Minor changes
2023-02-17 18:22:26 +05:30
afc6198da8
Update proc_creation_macos_binary_padding.yml
...
Few minor changes, increasing the precision of the rule and reducing the possible false positives.
2023-02-17 18:05:55 +05:30
0795ed6469
feat: additional updates and fixes
2023-02-04 21:06:47 +01:00
9ad58353a7
Update from review
2023-02-01 18:30:45 +01:00
c1ef84fd66
Merge remote-tracking branch 'upstream/master' into pr/3989
2023-02-01 18:27:51 +01:00
3d8b82805c
Merge pull request #3992 from D4rkCiph3r/osacompile
...
Create proc_creation_macos_osacompile_run-only_execution.yml
2023-02-01 18:17:00 +01:00
f121041cf0
Merge pull request #3991 from D4rkCiph3r/macro-osa
...
Create proc_creation_macos_macros_execution.yml
2023-02-01 18:16:23 +01:00
55f16c3f84
fix: update metadata and logic
2023-02-01 17:45:01 +01:00
d8b17f1d9f
fix: add ref and update description
2023-02-01 17:23:36 +01:00
0cddb6194c
Merge pull request #3993 from D4rkCiph3r/patch-1
...
feat: add new extension to osascript rule
2023-02-01 17:22:08 +01:00
04227055e4
fix: add reference
2023-02-01 17:15:10 +01:00
7c38a5c496
chore: add nextron authors tag
2023-02-01 11:14:59 +01:00
cd58c1baef
fix title case
2023-02-01 06:35:26 +01:00
26575cc2e0
Update proc_creation_macos_applescript.yml
2023-01-31 17:46:43 +01:00
596f5471f4
Merge branch 'SigmaHQ:master' into osacompile
2023-01-31 19:22:47 +05:30
ce577987a2
Update and rename proc_creation_macos_osacompile_run-only_execution.yml to proc_creation_macos_osacompile_runonly_execution.yml
2023-01-31 19:20:06 +05:30
c3b826a76c
Update proc_creation_macos_applescript.yml
...
minor updates to the CLI parameters, based on real-world observations
2023-01-31 19:16:15 +05:30
440649b087
Create proc_creation_macos_osacompile_run-only_execution.yml
2023-01-31 19:03:35 +05:30
4c28487480
New Rule for T1115 macOS ( #3988 )
...
feat: add new rule related to osascript reading clipboard
2023-01-31 14:32:08 +01:00
e4ace3d363
Create proc_creation_macos_macros_execution.yml
2023-01-31 18:48:03 +05:30
21ac747d36
Update proc_creation_macos_jxa_payoad_execution.yml
...
updated the formats wrt fields structuring
2023-01-31 17:35:27 +05:30
98250cba9c
Create proc_creation_macos_jxa_payoad_execution.yml
2023-01-31 17:23:24 +05:30
4006145b8d
fix: filename
2023-01-31 12:53:04 +01:00
eb26d94c14
fix: order fields and optimize selection
2023-01-31 12:42:20 +01:00
f67072fddc
Update proc_creation_macos_jxa_in-memory_execution.yml
2023-01-31 16:54:29 +05:30
87879f69cf
Update proc_creation_macos_jxa_in-memory_execution.yml
...
Indentation corrections and comments
2023-01-31 16:52:17 +05:30
aa3fa9b7e4
Create proc_creation_macos_jxa_in-memory_execution.yml
2023-01-31 16:06:39 +05:30
52e40d10ef
feat: updates multiple mitre tech/sub-tech/tactics ( #3913 )
2023-01-12 17:04:38 +01:00
756a248032
update logsource
2023-01-04 18:52:24 +01:00
d38195ea31
fix: remove folder start
2022-12-29 11:32:37 +01:00
425c29cf1c
feat: add new linux rules
2022-12-29 11:17:42 +01:00
7060db3d47
Promotion rules ( #3821 )
...
* Promotion rules
* fix missing null
* fix: modified date
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2022-12-27 12:29:10 +01:00
c820216541
Update Title ( #3733 )
2022-11-28 06:43:17 +01:00
cd4121d966
Update Title ( #3731 )
...
Co-authored-by: Florian Roth <venom14@gmail.com >
Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com >
2022-11-27 19:19:27 +01:00
D4rkCiph3r