security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
01dc930c173e329c191245b76f05de5fa4b5da21
blue-team-tools/rules/linux/macos/process_creation/macos_susp_histfile_operations.yml
T
frack113 01dc930c17 Change status for old rules
2021-11-27 11:33:14 +01:00

30 lines
785 B
YAML
Raw Blame History

title: 'Suspicious History File Operations'
id: 508a9374-ad52-4789-b568-fc358def2c65
status: test
description: 'Detects commandline operations on shell history files'
author: 'Mikhail Larin, oscd.community'
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md
date: 2020/10/17
modified: 2021/11/27
logsource:
product: macos
category: process_creation
detection:
selection:
CommandLine|contains:
- '.bash_history'
- '.zsh_history'
- '.zhistory'
- '.history'
- '.sh_history'
- 'fish_history'
condition: selection
falsepositives:
- 'Legitimate administrative activity'
- 'Ligitimate software, cleaning hist file'
level: medium
tags:
- attack.credential_access
- attack.t1552.003
Reference in New Issue View Git Blame Copy Permalink