security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f275a6a3cd03489416fc72e58a617d952e5f94a9
blue-team-tools/rules/macos/process_creation
T
History
D4rkCiph3r f275a6a3cd Create proc_creation_macos_enable_root_account.yml 
Summary of the Pull Request:
The pull request adds a new rule for macOS (T1078, T1078.001)

Detailed Description of the Pull Request / Additional comments: 
The rule helps detect attempts to enable/add an account to the admin group, thus granting the root privilege using various utilities such as dsenableroot, dseditgroup and dscl

Example Log Event (In Case of FP Fixes)
NA

Relevant Issues (In Case of Issue Fixes)
NA
2023-02-18 18:20:18 +05:30
..
proc_creation_macos_applescript.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_base64_decode.yml
Update Title (#3731)
2022-11-27 19:19:27 +01:00
proc_creation_macos_binary_padding.yml
Update Title (#3731)
2022-11-27 19:19:27 +01:00
proc_creation_macos_change_file_time_attr.yml
feat: updates multiple mitre tech/sub-tech/tactics (#3913)
2023-01-12 17:04:38 +01:00
proc_creation_macos_clear_system_logs.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_create_account.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_create_hidden_account.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_creds_from_keychain.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_disable_security_tools.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_enable_root_account.yml
Create proc_creation_macos_enable_root_account.yml
2023-02-18 18:20:18 +05:30
proc_creation_macos_file_and_directory_discovery.yml
Title modified in several rules (#3728)
2022-11-25 15:34:38 +01:00
proc_creation_macos_find_cred_in_files.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_gui_input_capture.yml
Promotion rules (#3821)
2022-12-27 12:29:10 +01:00
proc_creation_macos_local_account.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_macos_local_groups.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_macos_network_service_scanning.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_network_sniffing.yml
Update Title (#3731)
2022-11-27 19:19:27 +01:00
proc_creation_macos_payload_decoded_and_decrypted.yml
new rules: Sigma rules based on Elastic rules (#3632)
2022-10-28 10:13:44 +02:00
proc_creation_macos_remote_system_discovery.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_schedule_task_job_cron.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_macos_screencapture.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_security_software_discovery.yml
Update Title (#3733)
2022-11-28 06:43:17 +01:00
proc_creation_macos_space_after_filename.yml
update logsource
2023-01-04 18:52:24 +01:00
proc_creation_macos_split_file_into_pieces.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_susp_execution_macos_script_editor.yml
feat: add new linux rules
2022-12-29 11:17:42 +01:00
proc_creation_macos_susp_find_execution.yml
feat: add new linux rules
2022-12-29 11:17:42 +01:00
proc_creation_macos_susp_histfile_operations.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_susp_macos_firmware_activity.yml
old experimental rule promotion
2022-10-09 16:54:04 +02:00
proc_creation_macos_system_network_connections_discovery.yml
feat: add new linux rules
2022-12-29 11:17:42 +01:00
proc_creation_macos_system_network_discovery.yml
fix: remove folder start
2022-12-29 11:32:37 +01:00
proc_creation_macos_system_shutdown_reboot.yml
Update Title (#3731)
2022-11-27 19:19:27 +01:00
proc_creation_macos_wizardupdate_malware_infection.yml
new rules: Sigma rules based on Elastic rules (#3632)
2022-10-28 10:13:44 +02:00
proc_creation_macos_xattr_gatekeeper_bypass.yml
Order yaml field 4 (#3628)
2022-10-25 09:30:05 +02:00
proc_creation_macos_xcsset_malware_infection.yml
new rules: Sigma rules based on Elastic rules (#3632)
2022-10-28 10:13:44 +02:00