From d6527afd511dfc359774011a2015da46da33c43b Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Date: Fri, 22 Jul 2022 15:25:12 -0500
Subject: [PATCH] [Rule Tuning] Remove File Quarantine Attribute (#2129)

---
 ..._evasion_attempt_del_quarantine_attrib.toml | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
index 501f4a77d..92d1bf9c0 100644
--- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
+++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/08/14"
 maturity = "production"
-updated_date = "2022/07/18"
+updated_date = "2022/07/20"
 
 [rule]
 author = ["Elastic"]
@@ -32,20 +32,12 @@ type = "eql"
 
 query = '''
 process where event.type in ("start", "process_started") and
-  process.args : "xattr" and
+  process.name : "xattr" and
   (
     (process.args : "com.apple.quarantine" and process.args : ("-d", "-w")) or
-    (process.args : "-c" and process.command_line :
-      (
-        "/bin/bash -c xattr -c *",
-        "/bin/zsh -c xattr -c *",
-        "/bin/sh -c xattr -c *"
-      )
-    )
-  ) and not process.args : (
-    "/Applications/Google Chrome.app",
-    "/Applications/Microsoft Edge.app"
-  )
+    (process.args : "-c") or
+    (process.command_line : ("/bin/bash -c xattr -c *", "/bin/zsh -c xattr -c *", "/bin/sh -c xattr -c *"))
+  ) and not process.args_count > 12
 '''