security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Potential Privacy Control Bypass via TCCDB Modification (#2121)

Browse Source 
* add exception for Bitdefender
This commit is contained in:
Mika Ayenson
2022-07-22 16:07:41 -04:00
committed by GitHub
parent cefb84ae15
commit d2be29b226
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
+3 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/12/23"
maturity = "production"
updated_date = "2022/03/31"
updated_date = "2022/07/18"
[rule]
author = ["Elastic"]
@@ -33,7 +33,8 @@ type = "eql"
query = '''
process where event.type in ("start", "process_started") and process.name : "sqlite*" and
process.args : "/*/Application Support/com.apple.TCC/TCC.db"
process.args : "/*/Application Support/com.apple.TCC/TCC.db" and
not process.parent.executable : "/Library/Bitdefender/AVP/product/bin/*"
'''