From 4f55e9b05f044131f6c19f553f2e06fcc7486bf5 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Fri, 5 Aug 2022 14:25:31 -0400
Subject: [PATCH] [Rule Tuning] Potential Persistence via Login Hook (#2177)

* Exclude FPs for iMazing Profile Editor and backupd
---
 rules/macos/persistence_loginwindow_plist_modification.toml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml
index de9b092b1..31e1f9d45 100644
--- a/rules/macos/persistence_loginwindow_plist_modification.toml
+++ b/rules/macos/persistence_loginwindow_plist_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2022/07/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,8 @@ type = "query"
 query = '''
 event.category:"file" and not event.type:"deletion" and
  file.name:"com.apple.loginwindow.plist" and
- process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))
+ process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor"
+))
 '''