From b73564b541271448702097175f836080da67bd93 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 8 Feb 2021 16:54:39 +0100
Subject: [PATCH] [Rule Tuning] Remote SSH Login Enabled via systemsetup
 Command (#783)

---
 rules/macos/lateral_movement_remote_ssh_login_enabled.toml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
index 14a5bd776..a7c584bc8 100644
--- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
+++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml
@@ -14,6 +14,7 @@ name = "Remote SSH Login Enabled via systemsetup Command"
 references = [
     "https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf",
     "https://ss64.com/osx/systemsetup.html",
+    "https://support.apple.com/guide/remote-desktop/about-systemsetup-apd95406b8d/mac",
 ]
 risk_score = 47
 rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc"
@@ -24,7 +25,7 @@ type = "query"
 query = '''
 event.category:process and event.type:(start or process_started) and
  process.name:systemsetup and
- process.args:("-f" and "-setremotelogin" and on)
+ process.args:("-setremotelogin" and on)
 '''