[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447)
This commit is contained in:
Jonhnathan
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/08/14"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ for macOS to keep track of users' passwords and credentials for many services an
|
||||
websites, secure notes and certificates.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Access to Keychain Credentials Directories"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/01/04"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ built-in way for macOS to keep track of users' passwords and credentials for man
|
||||
and website passwords, secure notes, certificates, and Kerberos.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Dumping of Keychain Content via Security Command"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/01/06"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +13,7 @@ and website passwords, secure notes, certificates, and Kerberos.
|
||||
"""
|
||||
false_positives = ["Applications for password management."]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Keychain Password Retrieval via Command Line"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/11/16"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies the use of osascript to execute scripts via standard input that may p
|
||||
credentials.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Prompt for Credentials with OSASCRIPT"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/08/14"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ downloaded from the internet, there is a quarantine flag set on the file. This a
|
||||
defense program at execution time. An adversary may disable this attribute to evade defenses.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.file*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Quarantine Attrib Removed by Unsigned or Untrusted Process"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/23"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ indicate an attempt to bypass macOS privacy controls, including access to sensit
|
||||
microphone, address book, and calendar.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Privacy Control Bypass via TCCDB Modification"
|
||||
|
||||
+2
-2
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/01/11"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ Daemon (sshd) to the authorized application list for Full Disk Access. This may
|
||||
privacy controls to access sensitive files.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Potential Privacy Control Bypass via Localhost Secure Copy"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/01/12"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands related to account or group
|
||||
and group information to orient themselves before deciding how to act.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Enumeration of Users or Groups via Built-in Commands"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/23"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ visiting a website over the normal course of browsing. With this technique, the
|
||||
for exploitation.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Browser Child Process"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/02/23"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -20,7 +20,7 @@ false_positives = [
|
||||
""",
|
||||
]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "MacOS Installer Package Spawns Network Event"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/23"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ Adversaries may drop a custom workflow template that hosts malicious JavaScript
|
||||
alternative to using osascript.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Automator Workflows Execution"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/07"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Detects execution via the Apple script interpreter (osascript) followed by a net
|
||||
within a short time period. Adversaries may use malicious scripts for execution and command and control.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Apple Script Execution followed by Network Connection"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/07"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies the execution of the shell process (sh) via scripting (JXA or AppleSc
|
||||
doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Shell Execution via Apple Scripting"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/01/04"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ Excel). These child processes are often launched during exploitation of Office a
|
||||
malicious macros.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious macOS MS Office Child Process"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/01/25"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands to mount a Server Message Bl
|
||||
use valid accounts to interact with a remote network share using SMB.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Attempt to Mount SMB Share via Command Line"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/01/25"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands to connect to an existing Vi
|
||||
may use VPN connections to laterally move and control remote systems on a network.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Virtual Private Network Connection Attempt"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/07"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ launchctl to load a plist into the appropriate directories.
|
||||
"""
|
||||
false_positives = ["Trusted applications persisting via LaunchAgent"]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Launch Agent Creation or Modification and Immediate Loading"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/01/05"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies the execution of osascript to create a hidden login item. This may in
|
||||
program while concealing its presence.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Creation of Hidden Login Item via Apple Script"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/07"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ payloads as part of persistence.
|
||||
"""
|
||||
false_positives = ["Trusted applications persisting via LaunchDaemons"]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "LaunchDaemon Creation or Modification and Immediate Loading"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2022/04/25"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies attempts to create or modify a crontab via a process that is not cron
|
||||
activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.file*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious CronTab Creation or Modification"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/01/11"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies the creation or modification of the Event Monitor Daemon (emond) rule
|
||||
writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.file*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Emond Rules Creation or Modification"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/01/11"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ service by writing a rule to execute commands when a defined event occurs, such
|
||||
authentication.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Suspicious Emond Child Process"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/01/05"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies the creation of a hidden launch agent or daemon. An adversary may est
|
||||
launch agent or daemon which executes at login.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.file*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Creation of Hidden Launch Agent or Daemon"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/18"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ this feature by adding a rogue Finder Plugin to repeatedly execute malicious pay
|
||||
"""
|
||||
false_positives = ["Trusted Finder Sync Plugins"]
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Finder Sync Plugin Registered and Enabled"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/07"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ attached has items added or removed, or when its window is opened, closed, moved
|
||||
feature to establish persistence by utilizing a malicious script.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Persistence via Folder Action Script"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/07"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies use of the Defaults command to install a login or logoff hook in MacO
|
||||
capability to establish persistence in an environment by inserting code to be executed at login or logout.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Persistence via Login or Logout Hook"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/23"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Adversaries may create or modify the Sublime application plugins or scripts to e
|
||||
Sublime application is started.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.file*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Sublime Plugin or Application Script Modification"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/10/05"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -13,7 +13,7 @@ on a macOS endpoint by creating a malicious screensaver (.saver) file and config
|
||||
execute code each time the screensaver is activated.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Unexpected Child Process of macOS Screensaver Engine"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2021/10/05"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -12,7 +12,7 @@ a macOS endpoint by creating a malicious screensaver (.saver) file and configuri
|
||||
code each time the screensaver is activated.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.file*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Screensaver Plist File Modified by Unexpected Process"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/12/27"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2025/01/15"
|
||||
updated_date = "2025/02/04"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -11,7 +11,7 @@ Identifies execution of the Apple script interpreter (osascript) without a passw
|
||||
privileges.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["logs-endpoint.events.*"]
|
||||
index = ["logs-endpoint.events.process*"]
|
||||
language = "eql"
|
||||
license = "Elastic License v2"
|
||||
name = "Apple Scripting Execution with Administrator Privileges"
|
||||
|
||||
Reference in New Issue
Block a user