From b3334941f910b99ef74a3d9d0833041d6e7f8902 Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Fri, 22 Jul 2022 17:10:09 -0400
Subject: [PATCH] [Rule Tuning] Remote SSH Login Enabled via systemsetup
 Command (#2147)

* exclude jamf fp and add ssh subtechnique
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
---
 .../lateral_movement_remote_ssh_login_enabled.toml     | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
index 1054f67db..bc970d231 100644
--- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
+++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/22"
 
 [rule]
 author = ["Elastic"]
@@ -26,7 +26,8 @@ type = "query"
 query = '''
 event.category:process and event.type:(start or process_started) and
  process.name:systemsetup and
- process.args:("-setremotelogin" and on)
+ process.args:("-setremotelogin" and on) and
+ not process.parent.executable : /usr/local/jamf/bin/jamf
 '''
 
 
@@ -36,6 +37,11 @@ framework = "MITRE ATT&CK"
 id = "T1021"
 name = "Remote Services"
 reference = "https://attack.mitre.org/techniques/T1021/"
+[[rule.threat.technique.subtechnique]]
+id = "T1021.004"
+name = "SSH"
+reference = "https://attack.mitre.org/techniques/T1021/004/"
+
 
 
 [rule.threat.tactic]