security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
75ffa5ec4eb2fd9495741f86a653d50ffeedcd49
sigma-rules/rules/macos
T
History
Colson Wilhoit 49b660a135 [New Rules] New Terms rules for malicious Python/Pickle model activity on macOS (#5780) 
* [New Rules] New Terms rules for malicious Python/Pickle model activity on macOS

Adds three new_terms SIEM detection rules to close the detection gap identified in ia-trade-team#666 where malicious pickle/PyTorch model files execute arbitrary commands via Python deserialization without triggering existing GenAI-parent-gated endpoint rules.

Co-authored-by: Cursor <cursoragent@cursor.com>

* Address PR feedback: broaden descriptions and simplify process.name

- Update descriptions across all three rules to not over-attribute to
  pickle/PyTorch — these rules detect any malicious Python activity
  (scripts, compromised dependencies, model deserialization, etc.)
- Simplify process.name from explicit enumeration to python* wildcard
  since KQL matching is case-insensitive
- Update investigation guides to reflect broader scope of potential
  attack vectors

Made-with: Cursor

* Apply suggestion from @DefSecSentinel

* Apply suggestion from @DefSecSentinel

* Apply suggestion from @DefSecSentinel

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-03-17 10:59:08 -05:00
..
collection_discovery_output_written_to_suspicious_file.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
collection_pbpaste_execution_via_unusual_parent.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
collection_sensitive_file_access_followed_by_compression.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
command_and_control_aws_s3_connection_via_script.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
command_and_control_executable_download_via_wget.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
command_and_control_google_calendar_c2_via_script.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
command_and_control_network_connection_to_oast_domain.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
command_and_control_perl_outbound_network_connection.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
command_and_control_potential_etherhiding_c2.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
command_and_control_script_interpreter_connection_to_non_standard_port.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
command_and_control_suspicious_curl_from_macos_application.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
command_and_control_suspicious_curl_to_google_app_script.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
command_and_control_suspicious_outbound_network_via_unsigned_binary.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
command_and_control_unusual_connection_to_suspicious_top_level_domain.toml
Add investigation guides (#4600)
2025-04-07 20:55:39 +05:30
command_and_control_unusual_network_connection_to_suspicious_web_service.toml
[Rule Tuning] Mythic C2 AzureBlob Profile Endpoints (#5663)
2026-02-03 09:38:14 -05:00
credential_access_credentials_keychains.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
credential_access_dumping_hashes_bi_cmds.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
credential_access_dumping_keychain_security.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
credential_access_high_volume_of_pbpaste.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30
credential_access_kerberosdump_kcc.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
credential_access_keychain_pwd_retrieval_security_cmd.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
credential_access_mitm_localhost_webproxy.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
credential_access_potential_macos_ssh_bruteforce.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
credential_access_promt_for_pwd_via_osascript.toml
MacOS detection rules tuning (#5667)
2026-02-05 11:20:16 -06:00
credential_access_python_sensitive_file_access_first_occurrence.toml
[New Rules] New Terms rules for malicious Python/Pickle model activity on macOS (#5780)
2026-03-17 10:59:08 -05:00
credential_access_suspicious_web_browser_sensitive_file_access.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
credential_access_systemkey_dumping.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_apple_softupdates_modification.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_attempt_del_quarantine_attrib.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_attempt_to_disable_gatekeeper.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_dylib_injection_via_env_vars.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
defense_evasion_gatekeeper_override_and_execution.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
defense_evasion_install_root_certificate.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_modify_environment_launchctl.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_privacy_controls_tcc_database_modification.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
MacOS detection rules tuning (#5667)
2026-02-05 11:20:16 -06:00
defense_evasion_safari_config_change.toml
MacOS detection rules tuning (#5667)
2026-02-05 11:20:16 -06:00
defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_suspicious_tcc_access_granted.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
defense_evasion_tcc_bypass_mounted_apfs_access.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
defense_evasion_unload_endpointsecurity_kext.toml
MacOS detection rules tuning (#5667)
2026-02-05 11:20:16 -06:00
discovery_dns_request_for_ip_lookup_service.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
discovery_external_ip_address_discovery_via_curl.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
discovery_full_disk_access_check.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
discovery_suspicious_sip_check.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
discovery_system_and_network_configuration_check.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
discovery_users_domain_built_in_commands.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
execution_defense_evasion_electron_app_childproc_node_js.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
execution_initial_access_suspicious_browser_childproc.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
execution_installer_package_spawned_network_event.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
execution_python_shell_spawn_first_occurrence.toml
[New Rules] New Terms rules for malicious Python/Pickle model activity on macOS (#5780)
2026-03-17 10:59:08 -05:00
execution_script_via_automator_workflows.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
execution_scripting_osascript_exec_followed_by_netcon.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
execution_shell_execution_via_apple_scripting.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
execution_unusual_library_load_via_python.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
initial_access_suspicious_mac_ms_office_child_process.toml
[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447)
2025-02-05 15:09:27 -03:00
lateral_movement_credential_access_kerberos_bifrostconsole.toml
MacOS detection rules tuning (#5667)
2026-02-05 11:20:16 -06:00
lateral_movement_mounting_smb_share.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
lateral_movement_remote_ssh_login_enabled.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
lateral_movement_suspicious_curl_to_jamf_endpoint.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
lateral_movement_vpn_connection_attempt.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_account_creation_hide_at_logon.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_apple_mail_rule_modification.toml
Monthly Manifest and Schema Updation (#5697)
2026-02-10 09:17:04 +05:30
persistence_creation_change_launch_agents_file.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_creation_hidden_login_item_osascript.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_credential_access_authorization_plugin_creation.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_crontab_creation.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_curl_execution_via_shell_profile.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_directory_services_plugins_modification.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_docker_shortcuts_plist_modification.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_emond_rules_file_creation.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_emond_rules_process_execution.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_enable_root_account.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_evasion_hidden_launch_agent_deamon_creation.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_finder_sync_plugin_pluginkit.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_folder_action_scripts_runtime.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_hidden_plist_filename.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
persistence_login_logout_hooks_defaults.toml
[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447)
2025-02-05 15:09:27 -03:00
persistence_loginwindow_plist_modification.toml
[FR] Generate investigation guides (#4358)
2025-01-22 11:17:38 -06:00
persistence_manual_chromium_extension_loading.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
persistence_modification_sublime_app_plugin_or_script.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_periodic_tasks_file_mdofiy.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_python_launch_agent_or_daemon_creation_first_occurrence.toml
[New Rules] New Terms rules for malicious Python/Pickle model activity on macOS (#5780)
2026-03-17 10:59:08 -05:00
persistence_screensaver_engine_unexpected_child_process.toml
[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447)
2025-02-05 15:09:27 -03:00
persistence_screensaver_plist_file_modification.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_startup_item_plist_creation.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
persistence_suspicious_calendar_modification.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
persistence_suspicious_file_creation_via_pkg_install_script.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
persistence_suspicious_launch_agent_or_launch_daemon.toml
[New] Endpoint Rule Conversion PR (#5658)
2026-02-06 10:53:44 -06:00
persistence_via_atom_init_file_modification.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
privilege_escalation_applescript_with_admin_privs.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
privilege_escalation_explicit_creds_via_scripting.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
privilege_escalation_exploit_adobe_acrobat_updater.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
privilege_escalation_local_user_added_to_admin.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
privilege_escalation_root_crontab_filemod.toml
[Tuning] MacOS DR Tuning PR (#4546)
2025-04-21 17:32:05 -05:00
privilege_escalation_user_added_to_admin_group.toml
Replace master doc URLs with current (#4439)
2025-02-03 21:27:50 +05:30