sigma-rules/rules/macos at 364d9dd3bc196e8a52f0bcaead37cabbcc0e1b55 - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Colson Wilhoit 4ef72457d3 [Tuning] MacOS DR Tuning PR (#4546 )

* [Tuning] MacOS DR Tuning PR

* tunings

* tuning

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/execution_script_via_automator_workflows.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* fix

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

2025-04-21 17:32:05 -05:00

..

command_and_control_unusual_connection_to_suspicious_top_level_domain.toml

Add investigation guides (#4600 )

2025-04-07 20:55:39 +05:30

command_and_control_unusual_network_connection_to_suspicious_web_service.toml

Add investigation guides (#4600 )

2025-04-07 20:55:39 +05:30

credential_access_credentials_keychains.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

credential_access_dumping_hashes_bi_cmds.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

credential_access_dumping_keychain_security.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

credential_access_high_volume_of_pbpaste.toml

Replace master doc URLs with current (#4439 )

2025-02-03 21:27:50 +05:30

credential_access_kerberosdump_kcc.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

credential_access_keychain_pwd_retrieval_security_cmd.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

credential_access_mitm_localhost_webproxy.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

credential_access_potential_macos_ssh_bruteforce.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

credential_access_promt_for_pwd_via_osascript.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

credential_access_suspicious_web_browser_sensitive_file_access.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

credential_access_systemkey_dumping.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_apple_softupdates_modification.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_attempt_del_quarantine_attrib.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_attempt_to_disable_gatekeeper.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_install_root_certificate.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_modify_environment_launchctl.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_privacy_controls_tcc_database_modification.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_safari_config_change.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_tcc_bypass_mounted_apfs_access.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

defense_evasion_unload_endpointsecurity_kext.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

discovery_users_domain_built_in_commands.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

execution_defense_evasion_electron_app_childproc_node_js.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

execution_initial_access_suspicious_browser_childproc.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

execution_installer_package_spawned_network_event.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

execution_script_via_automator_workflows.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

execution_scripting_osascript_exec_followed_by_netcon.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

execution_shell_execution_via_apple_scripting.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

initial_access_suspicious_mac_ms_office_child_process.toml

[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447 )

2025-02-05 15:09:27 -03:00

lateral_movement_credential_access_kerberos_bifrostconsole.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

lateral_movement_mounting_smb_share.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

lateral_movement_remote_ssh_login_enabled.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

lateral_movement_vpn_connection_attempt.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_account_creation_hide_at_logon.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_creation_change_launch_agents_file.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_creation_hidden_login_item_osascript.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_creation_modif_launch_deamon_sequence.toml

[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447 )

2025-02-05 15:09:27 -03:00

persistence_credential_access_authorization_plugin_creation.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_crontab_creation.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_directory_services_plugins_modification.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_docker_shortcuts_plist_modification.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_emond_rules_file_creation.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_emond_rules_process_execution.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_enable_root_account.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_evasion_hidden_launch_agent_deamon_creation.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_finder_sync_plugin_pluginkit.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_folder_action_scripts_runtime.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_login_logout_hooks_defaults.toml

[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447 )

2025-02-05 15:09:27 -03:00

persistence_loginwindow_plist_modification.toml

[FR] Generate investigation guides (#4358 )

2025-01-22 11:17:38 -06:00

persistence_modification_sublime_app_plugin_or_script.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_periodic_tasks_file_mdofiy.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_screensaver_engine_unexpected_child_process.toml

[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447 )

2025-02-05 15:09:27 -03:00

persistence_screensaver_plist_file_modification.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_suspicious_calendar_modification.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

persistence_via_atom_init_file_modification.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

privilege_escalation_applescript_with_admin_privs.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

privilege_escalation_explicit_creds_via_scripting.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

privilege_escalation_exploit_adobe_acrobat_updater.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

privilege_escalation_local_user_added_to_admin.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

privilege_escalation_root_crontab_filemod.toml

[Tuning] MacOS DR Tuning PR (#4546 )

2025-04-21 17:32:05 -05:00

privilege_escalation_user_added_to_admin_group.toml

Replace master doc URLs with current (#4439 )

2025-02-03 21:27:50 +05:30