diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 7f1d21e3c..2a010357f 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ for macOS to keep track of users' passwords and credentials for many services an websites, secure notes and certificates. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Access to Keychain Credentials Directories" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index f71916bbd..259dd41b8 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ built-in way for macOS to keep track of users' passwords and credentials for man and website passwords, secure notes, certificates, and Kerberos. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 37117d8c8..47ebc3c38 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/06" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ and website passwords, secure notes, certificates, and Kerberos. """ false_positives = ["Applications for password management."] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Keychain Password Retrieval via Command Line" diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index 5b5f24667..3d592185e 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the use of osascript to execute scripts via standard input that may p credentials. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Prompt for Credentials with OSASCRIPT" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 210c47484..b416eec0b 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ downloaded from the internet, there is a quarantine flag set on the file. This a defense program at execution time. An adversary may disable this attribute to evade defenses. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Quarantine Attrib Removed by Unsigned or Untrusted Process" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index 8539f0586..8740060cc 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ indicate an attempt to bypass macOS privacy controls, including access to sensit microphone, address book, and calendar. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privacy Control Bypass via TCCDB Modification" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index bb618f179..4a3df5e32 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Daemon (sshd) to the authorized application list for Full Disk Access. This may privacy controls to access sensitive files. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Privacy Control Bypass via Localhost Secure Copy" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 19802d350..8d76cbe2d 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/12" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands related to account or group and group information to orient themselves before deciding how to act. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Users or Groups via Built-in Commands" diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index 1437bb7f2..ca94c1958 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ visiting a website over the normal course of browsing. With this technique, the for exploitation. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Browser Child Process" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index dee99e109..83a0df220 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -2,7 +2,7 @@ creation_date = "2021/02/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "MacOS Installer Package Spawns Network Event" diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index c9869178b..675b7dbab 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Adversaries may drop a custom workflow template that hosts malicious JavaScript alternative to using osascript. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Automator Workflows Execution" diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index e72db635a..14e1b37d2 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Detects execution via the Apple script interpreter (osascript) followed by a net within a short time period. Adversaries may use malicious scripts for execution and command and control. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.network*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Apple Script Execution followed by Network Connection" diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index d6e2ca8bf..28baaa593 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of the shell process (sh) via scripting (JXA or AppleSc doShellScript functionality in JXA or do shell script in AppleScript to execute system commands. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Shell Execution via Apple Scripting" diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 6a9c0878f..b89f017f6 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ Excel). These child processes are often launched during exploitation of Office a malicious macros. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious macOS MS Office Child Process" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 4983f63fa..3ca77d2ef 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands to mount a Server Message Bl use valid accounts to interact with a remote network share using SMB. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Attempt to Mount SMB Share via Command Line" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 0164501a6..abec7fd2e 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of macOS built-in commands to connect to an existing Vi may use VPN connections to laterally move and control remote systems on a network. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Virtual Private Network Connection Attempt" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index cf36c7e95..95a1ec368 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ launchctl to load a plist into the appropriate directories. """ false_positives = ["Trusted applications persisting via LaunchAgent"] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Launch Agent Creation or Modification and Immediate Loading" diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 99dfa038c..f050aa756 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the execution of osascript to create a hidden login item. This may in program while concealing its presence. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Creation of Hidden Login Item via Apple Script" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 984c15a42..db8e0e585 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ payloads as part of persistence. """ false_positives = ["Trusted applications persisting via LaunchDaemons"] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*", "logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "LaunchDaemon Creation or Modification and Immediate Loading" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index be9c600a8..33d1ab602 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -2,7 +2,7 @@ creation_date = "2022/04/25" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies attempts to create or modify a crontab via a process that is not cron activity should not be highly prevalent and could indicate the use of cron as a persistence mechanism by a threat actor. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Suspicious CronTab Creation or Modification" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index b69497f05..00185213a 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the creation or modification of the Event Monitor Daemon (emond) rule writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Emond Rules Creation or Modification" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 431b82614..71e41889d 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ service by writing a rule to execute commands when a defined event occurs, such authentication. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Suspicious Emond Child Process" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index a2c0c6bbf..bb77e4302 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the creation of a hidden launch agent or daemon. An adversary may est launch agent or daemon which executes at login. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Creation of Hidden Launch Agent or Daemon" diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 2fd1b692b..0fc179859 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/18" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ this feature by adding a rogue Finder Plugin to repeatedly execute malicious pay """ false_positives = ["Trusted Finder Sync Plugins"] from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Finder Sync Plugin Registered and Enabled" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 6dbc162a9..6ad77bc7a 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ attached has items added or removed, or when its window is opened, closed, moved feature to establish persistence by utilizing a malicious script. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Persistence via Folder Action Script" diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index f64afd998..40020db35 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/07" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies use of the Defaults command to install a login or logoff hook in MacO capability to establish persistence in an environment by inserting code to be executed at login or logout. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Persistence via Login or Logout Hook" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index afa5fd22d..f1a8df2a9 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/23" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Adversaries may create or modify the Sublime application plugins or scripts to e Sublime application is started. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Sublime Plugin or Application Script Modification" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 6ce6ddb89..0ce7bd9a7 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ on a macOS endpoint by creating a malicious screensaver (.saver) file and config execute code each time the screensaver is activated. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Unexpected Child Process of macOS Screensaver Engine" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 006ce9366..294e05f5e 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/05" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ a macOS endpoint by creating a malicious screensaver (.saver) file and configuri code each time the screensaver is activated. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file*"] language = "eql" license = "Elastic License v2" name = "Screensaver Plist File Modified by Unexpected Process" diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 3eea33927..ba8ccc674 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/27" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/04" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies execution of the Apple script interpreter (osascript) without a passw privileges. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Apple Scripting Execution with Administrator Privileges"