security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

MacOS Launch Daemon Creation Rule - Query Fix (#1722)

Browse Source 
* launch daemon creation syntax fix

* change updated date
This commit is contained in:
Colson Wilhoit
2022-01-25 12:47:51 -06:00
committed by GitHub
parent 95e3b87faf
commit cfd4d431dd
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/persistence_creation_modif_launch_deamon_sequence.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/07"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2022/01/25"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ type = "eql"
query = '''
sequence by host.id with maxspan=1m
[file where event.type != "deletion" and file.path in ("/System/Library/LaunchDaemons/*", " /Library/LaunchDaemons/*")]
[file where event.type != "deletion" and file.path in ("/System/Library/LaunchDaemons/*", "/Library/LaunchDaemons/*")]
[process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"]
'''