security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5d9c031c8bbe1f3a687f99f2242fa8bad24bb85b
sigma-rules/rules/macos
T
History
Samirbous 5d9c031c8b [New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775) 
* [New Rule] TCC Bypass via Mounted APFS Snapshot Access

* Update defense_evasion_tcc_bypass_mounted_apfs_access.toml

* conv to kql

* Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
2021-01-26 08:50:28 +01:00
..
credential_access_compress_credentials_keychains.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
credential_access_kerberosdump_kcc.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
credential_access_potential_ssh_bruteforce.toml
[New Rule] Potential SSH Bruteforce Detected (#538)
2020-12-04 17:18:03 +01:00
credential_access_promt_for_pwd_via_osascript.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_attempt_del_quarantine_attrib.toml
[New Rule] Attempt to Remove File Quarantine Attribute (#674)
2020-12-08 12:27:03 +01:00
defense_evasion_tcc_bypass_mounted_apfs_access.toml
[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775)
2021-01-26 08:50:28 +01:00
execution_scripting_osascript_exec_followed_by_netcon.toml
[New Rule] Apple Script Execution followed by Network Connection (#681)
2020-12-08 12:25:03 +01:00
execution_shell_execution_via_apple_scripting.toml
[New Rule] Shell Execution via Apple Scripting (#687)
2020-12-08 11:45:39 +01:00
lateral_movement_remote_ssh_login_enabled.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
persistence_creation_change_launch_agents_file.toml
[New Rule] Launch Agent Creation or Modification followed by Loading (#696)
2020-12-08 19:08:16 +01:00
persistence_creation_modif_launch_deamon_sequence.toml
[New Rule] LaunchDaemon Creation or Modification followed by Loading (#698)
2020-12-08 16:04:34 +01:00
persistence_docker_shortcuts_plist_modification.toml
[New Rule] Persistence via Docker Shortcut Modification (#733)
2021-01-26 08:38:38 +01:00
persistence_folder_action_scripts_runtime.toml
[New Rule] Persistence via Folder Action Script (#685)
2020-12-08 11:51:52 +01:00
persistence_login_logout_hooks_defaults.toml
[New Rule] Persistence via Login and/or Logout Hooks (#683)
2020-12-08 12:09:36 +01:00
persistence_loginwindow_plist_modification.toml
[New Rule] Potential Persistence via Login Hook (#900)
2021-01-26 08:35:16 +01:00
privilege_escalation_explicit_creds_via_apple_scripting.toml
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689)
2020-12-08 11:57:52 +01:00