[Rule Tuning] Execution with Explicit Credentials via Scripting (#2190)

* add case sensitive Python process name and T1548

rules/macos/privilege_escalation_explicit_creds_via_scripting.toml

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/07"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/07/27"
 
 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ type = "query"
 query = '''
 event.category:process and event.type:(start or process_started) and
  process.name:"security_authtrampoline" and
- process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or perl* or php* or ruby or pwsh)
+ process.parent.name:(osascript or com.apple.automator.runner or sh or bash or dash or zsh or python* or Python or perl* or php* or ruby or pwsh)
 '''
 
 
@@ -40,6 +40,16 @@ id = "T1078"
 name = "Valid Accounts"
 reference = "https://attack.mitre.org/techniques/T1078/"
 
+[[rule.threat.technique]]
+id = "T1548"
+name = "Abuse Elevation Control Mechanism"
+reference = "https://attack.mitre.org/techniques/T1548/"
+[[rule.threat.technique.subtechnique]]
+id = "T1548.004"
+name = "Elevated Execution with Prompt"
+reference = "https://attack.mitre.org/techniques/T1548/004/"
+
+
 
 [rule.threat.tactic]
 id = "TA0004"