From d1bc53e29590736c0d591e28906cc23d9832a6bc Mon Sep 17 00:00:00 2001
From: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Date: Fri, 5 Aug 2022 14:36:05 -0400
Subject: [PATCH] [Rule Tuning] Persistence via Folder Action Script (#2174)

* Exclude FPs for iterm
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
---
 rules/macos/persistence_folder_action_scripts_runtime.toml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml
index 87f257846..3e5bfd31f 100644
--- a/rules/macos/persistence_folder_action_scripts_runtime.toml
+++ b/rules/macos/persistence_folder_action_scripts_runtime.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2022/02/28"
+updated_date = "2022/07/26"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,9 @@ type = "eql"
 query = '''
 sequence by host.id with maxspan=5s
  [process where event.type in ("start", "process_started", "info") and process.name == "com.apple.foundation.UserScriptService"] by process.pid
- [process where event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh")] by process.parent.pid
+ [process where event.type in ("start", "process_started") and process.name in ("osascript", "python", "tcl", "node", "perl", "ruby", "php", "bash", "csh", "zsh", "sh") and
+  not process.args : "/Users/*/Library/Application Support/iTerm2/Scripts/AutoLaunch/*.scpt"
+ ] by process.parent.pid
 '''