security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
56fc2beb467a73f8d653b1ad54f8bf80b75cd538
sigma-rules/rules/macos
T
History
Thijs Xhaflaire df1f0bc98e [New Rule] Add Jamf Protect detection rules (#4047) 
* Create privilege_escalation_user_added_to_admin_group.toml

* Update privilege_escalation_user_added_to_admin_group.toml

* Update privilege_escalation_user_added_to_admin_group.toml

* Adding pbpaste detection rule and minor adjustments to user added to group

* Update credential_access_high_volume_of_pbpaste.toml

* Update credential_access_high_volume_of_pbpaste.toml

* Adding two rules to validate our approach.

* Updated index to "logs-jamf_protect*"

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml

* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml

* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Moved to rules/macos folder

* Removed rules from integration/jamf folder

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* minstack rules and support jamf_protect non-dataset

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
2024-09-12 15:03:56 -05:00
..
credential_access_credentials_keychains.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_dumping_hashes_bi_cmds.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_dumping_keychain_security.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_high_volume_of_pbpaste.toml
[New Rule] Add Jamf Protect detection rules (#4047)
2024-09-12 15:03:56 -05:00
credential_access_kerberosdump_kcc.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_keychain_pwd_retrieval_security_cmd.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_mitm_localhost_webproxy.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_potential_macos_ssh_bruteforce.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_promt_for_pwd_via_osascript.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
credential_access_suspicious_web_browser_sensitive_file_access.toml
Update credential_access_suspicious_web_browser_sensitive_file_access.toml (#4029)
2024-08-28 16:33:44 +01:00
credential_access_systemkey_dumping.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_apple_softupdates_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_attempt_del_quarantine_attrib.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_attempt_to_disable_gatekeeper.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_install_root_certificate.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_modify_environment_launchctl.toml
[Tuning] MacOS Comprehensive Detection Rule Tuning (#3435)
2024-05-11 12:52:18 -05:00
defense_evasion_privacy_controls_tcc_database_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_safari_config_change.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_tcc_bypass_mounted_apfs_access.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
defense_evasion_unload_endpointsecurity_kext.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
discovery_users_domain_built_in_commands.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_defense_evasion_electron_app_childproc_node_js.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_initial_access_suspicious_browser_childproc.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_installer_package_spawned_network_event.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_script_via_automator_workflows.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_scripting_osascript_exec_followed_by_netcon.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
execution_shell_execution_via_apple_scripting.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
initial_access_suspicious_mac_ms_office_child_process.toml
[Bug] Fix test_os_and_platform_in_query test and rules (#3695)
2024-05-20 08:43:30 -07:00
lateral_movement_credential_access_kerberos_bifrostconsole.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_mounting_smb_share.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_remote_ssh_login_enabled.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
lateral_movement_vpn_connection_attempt.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_account_creation_hide_at_logon.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_creation_change_launch_agents_file.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_creation_hidden_login_item_osascript.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_creation_modif_launch_deamon_sequence.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_credential_access_authorization_plugin_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_crontab_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_directory_services_plugins_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_docker_shortcuts_plist_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_emond_rules_file_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_emond_rules_process_execution.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_enable_root_account.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_evasion_hidden_launch_agent_deamon_creation.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_finder_sync_plugin_pluginkit.toml
[Tuning] MacOS Comprehensive Detection Rule Tuning (#3435)
2024-05-11 12:52:18 -05:00
persistence_folder_action_scripts_runtime.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_login_logout_hooks_defaults.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_loginwindow_plist_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_modification_sublime_app_plugin_or_script.toml
Refresh MITRE Attack v15.1.0 (#3725)
2024-06-04 20:14:58 +05:30
persistence_periodic_tasks_file_mdofiy.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_screensaver_engine_unexpected_child_process.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_screensaver_plist_file_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_suspicious_calendar_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
persistence_via_atom_init_file_modification.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_applescript_with_admin_privs.toml
[Tuning] MacOS Comprehensive Detection Rule Tuning (#3435)
2024-05-11 12:52:18 -05:00
privilege_escalation_explicit_creds_via_scripting.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_exploit_adobe_acrobat_updater.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_local_user_added_to_admin.toml
[Tuning] MacOS Comprehensive Detection Rule Tuning (#3435)
2024-05-11 12:52:18 -05:00
privilege_escalation_root_crontab_filemod.toml
Back-porting Version Trimming (#3704)
2024-05-23 00:45:10 +05:30
privilege_escalation_user_added_to_admin_group.toml
[New Rule] Add Jamf Protect detection rules (#4047)
2024-09-12 15:03:56 -05:00