security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] WebProxy Settings Modification (#1008)

Browse Source 
* [Rule Tuning] WebProxy Settings Modification

* kql optimz test

* update date
This commit is contained in:
Samirbous
2021-03-19 10:00:50 +01:00
committed by GitHub
parent 83dfe911bc
commit be3c7eaf45
1 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/credential_access_mitm_localhost_webproxy.toml
+6 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/05"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/03/09"
[rule]
author = ["Elastic"]
@@ -27,8 +27,11 @@ timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:process and event.type:start and
process.name:networksetup and process.args:("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl")
event.category : process and event.type : start and
process.name : networksetup and process.args : (("-setwebproxy" or "-setsecurewebproxy" or "-setautoproxyurl") and not (Bluetooth or off)) and
not process.parent.executable : ("/Library/PrivilegedHelperTools/com.80pct.FreedomHelper" or
"/Applications/Fiddler Everywhere.app/Contents/Resources/app/out/WebServer/Fiddler.WebUi" or
"/usr/libexec/xpcproxy")
'''