security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
18a4e468cedfe9d1abacc299fffa1137fab11f74
sigma-rules/rules/macos
T
History
Samirbous 18a4e468ce [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension (#807) 
* [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
2021-02-08 22:22:16 +01:00
..
credential_access_access_to_browser_credentials_procargs.toml
[New Rule] Access to Browsers Credential Files (#789)
2021-02-04 16:34:49 +01:00
credential_access_credentials_keychains.toml
[Rule Tuning] Compression of Keychain Credentials Directories (#787)
2021-02-08 17:31:04 +01:00
credential_access_dumping_keychain_security.toml
[New Rule] Dumping of Keychain Content via Security Command (#785)
2021-01-28 19:50:41 +01:00
credential_access_kerberosdump_kcc.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
credential_access_mitm_localhost_webproxy.toml
[New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805)
2021-01-29 18:58:14 +01:00
credential_access_potential_ssh_bruteforce.toml
[New Rule] Potential SSH Bruteforce Detected (#538)
2020-12-04 17:18:03 +01:00
credential_access_promt_for_pwd_via_osascript.toml
[Rule Tuning] Prompt for Credentials with OSASCRIPT (#759)
2021-02-08 16:42:23 +01:00
defense_evasion_apple_softupdates_modification.toml
[New Rule] SoftwareUpdate Preferences Modification (#869)
2021-02-03 18:12:37 +01:00
defense_evasion_attempt_del_quarantine_attrib.toml
adjust risk score (#938)
2021-02-08 13:15:42 -05:00
defense_evasion_modify_environment_launchctl.toml
[New Rule] Environment Variable Modification using Launchctl (#865)
2021-01-26 21:41:30 +01:00
defense_evasion_privacy_controls_tcc_database_modification.toml
[New Rule] Potential MacOS Privacy Controls Bypass via TCCDB Modification (#765)
2021-02-08 16:48:53 +01:00
defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
[New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy (#830)
2021-02-03 17:54:15 +01:00
defense_evasion_safari_config_change.toml
[New Rule] Safari Settings Modification using Defaults Command (#861)
2021-02-04 16:38:56 +01:00
defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
[New Rule] Potential Office Sandbox Evasion via ZIP File (#834)
2021-02-04 16:47:58 +01:00
defense_evasion_tcc_bypass_mounted_apfs_access.toml
[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775)
2021-01-26 08:50:28 +01:00
defense_evasion_unload_endpointsecurity_kext.toml
[New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension (#807)
2021-02-08 22:22:16 +01:00
execution_defense_evasion_electron_app_childproc_node_js.toml
[New Rule] Execution via Electron Child Process Node.js Module (#817)
2021-01-29 19:06:49 +01:00
execution_initial_access_suspicious_browser_childproc.toml
[New Rule] Suspicious Browser Child Process (#767)
2021-02-08 15:06:18 +01:00
execution_script_via_automator_workflows.toml
[New Rule] Script Execution via Automator Workflows (#763)
2021-01-26 09:07:39 +01:00
execution_scripting_osascript_exec_followed_by_netcon.toml
[New Rule] Apple Script Execution followed by Network Connection (#681)
2020-12-08 12:25:03 +01:00
execution_shell_execution_via_apple_scripting.toml
[New Rule] Shell Execution via Apple Scripting (#687)
2020-12-08 11:45:39 +01:00
initial_access_suspicious_mac_ms_office_child_process.toml
Update revoked technique
2021-01-28 11:03:17 -09:00
lateral_movement_remote_ssh_login_enabled.toml
[Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#783)
2021-02-08 16:54:39 +01:00
lateral_movement_vpn_connection_attempt.toml
[New Rule] Virtual Private Network Connection Attempt (#912)
2021-02-03 18:18:09 +01:00
persistence_account_creation_hide_at_logon.toml
[New Rule] Attempt to Create a Hidden Local Account (#799)
2021-02-08 17:24:56 +01:00
persistence_creation_change_launch_agents_file.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
persistence_creation_hidden_login_item_osascript.toml
[New Rule] Creation Attempt of a Hidden Login Item via Apple Script (#801)
2021-02-08 17:22:01 +01:00
persistence_creation_modif_launch_deamon_sequence.toml
[New Rule] LaunchDaemon Creation or Modification followed by Loading (#698)
2020-12-08 16:04:34 +01:00
persistence_docker_shortcuts_plist_modification.toml
[New Rule] Persistence via Docker Shortcut Modification (#733)
2021-01-26 08:38:38 +01:00
persistence_emond_rules_file_creation.toml
[New Rule] 2 Rules for Persistence via Emond (#832)
2021-01-29 09:16:27 +01:00
persistence_emond_rules_process_execution.toml
[New Rule] 2 Rules for Persistence via Emond (#832)
2021-01-29 09:16:27 +01:00
persistence_enable_root_account.toml
[New Rule] Attempt to Enable the Root Account (#792)
2021-02-08 17:10:43 +01:00
persistence_evasion_hidden_launch_agent_deamon_creation.toml
[New Rule] Creation of a Hidden Launch Agent or Daemon (#797)
2021-01-29 19:01:15 +01:00
persistence_folder_action_scripts_runtime.toml
[New Rule] Persistence via Folder Action Script (#685)
2020-12-08 11:51:52 +01:00
persistence_login_logout_hooks_defaults.toml
[New Rule] Persistence via Login and/or Logout Hooks (#683)
2020-12-08 12:09:36 +01:00
persistence_loginwindow_plist_modification.toml
[New Rule] Potential Persistence via Login Hook (#900)
2021-01-26 08:35:16 +01:00
persistence_modification_sublime_app_plugin_or_script.toml
[New Rule] Sublime Plugin or Application Script Modification (#761)
2021-02-08 16:34:44 +01:00
persistence_periodic_tasks_file_mdofiy.toml
[New Rule] Potential Persistence via Periodic Tasks (#898)
2021-02-03 18:15:25 +01:00
privilege_escalation_applescript_with_admin_privs.toml
[New Rule] Execution with Administrator Privileges via Apple Scripting (#777)
2021-02-08 17:39:22 +01:00
privilege_escalation_explicit_creds_via_apple_scripting.toml
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689)
2020-12-08 11:57:52 +01:00
privilege_escalation_local_user_added_to_admin.toml
[New Rule] Attempt to Add an Account to the Admin Group (#803)
2021-01-29 19:03:17 +01:00