security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Modification of Environment Variable via Launchctl (#1010)

Browse Source 
* [Rule Tuning] Modification of Environment Variable via Launchctl

* update date
This commit is contained in:
Samirbous
2021-03-19 10:20:04 +01:00
committed by GitHub
parent 04f3cd967d
commit dd1214627a
1 changed files with 13 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/macos/defense_evasion_modify_environment_launchctl.toml
+13 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/01/14"
maturity = "production"
updated_date = "2021/03/03"
updated_date = "2021/03/09"
[rule]
author = ["Elastic"]
@@ -28,7 +28,18 @@ type = "query"
query = '''
event.category:process and event.type:start and
process.name:launchctl and
process.args:(setenv and not (JAVA*_HOME or RUNTIME_JAVA_HOME or DBUS_LAUNCHD_SESSION_BUS_SOCKET or ANT_HOME))
process.args:(setenv and not (JAVA*_HOME or
RUNTIME_JAVA_HOME or
DBUS_LAUNCHD_SESSION_BUS_SOCKET or
ANT_HOME or
LG_WEBOS_TV_SDK_HOME or
WEBOS_CLI_TV or
EDEN_ENV)
) and
not process.parent.executable:("/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
"/usr/local/bin/kr" or
"/Applications/NoMachine.app/Contents/Frameworks/bin/nxserver.bin" or
"/Applications/IntelliJ IDEA CE.app/Contents/jbr/Contents/Home/lib/jspawnhelper")
'''