[Rule Tuning] Prompt for Credentials with OSASCRIPT (#759)

* [Rule Tuning] Prompt for Credentials with OSASCRIPT * Update credential_access_promt_for_pwd_via_osascript.toml * Update credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * update date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
2021-02-08 16:42:23 +01:00
parent 4cb28adece
commit 8b8cbcf8dd
1 changed files with 8 additions and 3 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/16"
 maturity = "production"
-updated_date = "2020/11/16"
+updated_date = "2021/02/08"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,8 @@ tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
 type = "eql"

 query = '''
-process where event.type in ("start", "process_started") and process.name:"osascript" and process.args:"-e" and process.args:"password"
+process where event.type in ("start", "process_started") and process.name : "osascript" and
+ process.command_line : "osascript*display dialog*password*"
 '''


@@ -35,10 +36,14 @@ framework = "MITRE ATT&CK"
 id = "T1056"
 name = "Input Capture"
 reference = "https://attack.mitre.org/techniques/T1056/"
+[[rule.threat.technique.subtechnique]]
+id = "T1056.002"
+name = "GUI Input Capture"
+reference = "https://attack.mitre.org/techniques/T1056/002/"
+


 [rule.threat.tactic]
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
-