Samirbous acff6a3a5d [New Rule] 2 Rules for Persistence via Emond (#832) ...

* [New Rule] 2 Rules for Persistence via Emond

* removed auditbeat index

process.parent.name not captured

* Update persistence_emond_rules_process_execution.toml

* Update rules/macos/persistence_emond_rules_file_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_file_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relint

* 2021

* Update persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

2021-01-29 09:16:27 +01:00

..

credential_access_compress_credentials_keychains.toml

[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)

2020-12-18 12:46:16 -09:00

credential_access_dumping_keychain_security.toml

[New Rule] Dumping of Keychain Content via Security Command (#785)

2021-01-28 19:50:41 +01:00

credential_access_kerberosdump_kcc.toml

Refresh beats and ecs schemas and default to use latest to validate (#570)

2020-12-01 13:24:20 -09:00

credential_access_potential_ssh_bruteforce.toml

[New Rule] Potential SSH Bruteforce Detected (#538)

2020-12-04 17:18:03 +01:00

credential_access_promt_for_pwd_via_osascript.toml

Refresh beats and ecs schemas and default to use latest to validate (#570)

2020-12-01 13:24:20 -09:00

defense_evasion_attempt_del_quarantine_attrib.toml

[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)

2020-12-18 12:46:16 -09:00

defense_evasion_modify_environment_launchctl.toml

[New Rule] Environment Variable Modification using Launchctl (#865)

2021-01-26 21:41:30 +01:00

defense_evasion_tcc_bypass_mounted_apfs_access.toml

[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775)

2021-01-26 08:50:28 +01:00

execution_script_via_automator_workflows.toml

[New Rule] Script Execution via Automator Workflows (#763)

2021-01-26 09:07:39 +01:00

execution_scripting_osascript_exec_followed_by_netcon.toml

[New Rule] Apple Script Execution followed by Network Connection (#681)

2020-12-08 12:25:03 +01:00

execution_shell_execution_via_apple_scripting.toml

[New Rule] Shell Execution via Apple Scripting (#687)

2020-12-08 11:45:39 +01:00

initial_access_suspicious_mac_ms_office_child_process.toml

Update revoked technique

2021-01-28 11:03:17 -09:00

lateral_movement_remote_ssh_login_enabled.toml

Refresh beats and ecs schemas and default to use latest to validate (#570)

2020-12-01 13:24:20 -09:00

persistence_creation_change_launch_agents_file.toml

[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)

2020-12-18 12:46:16 -09:00

persistence_creation_modif_launch_deamon_sequence.toml

[New Rule] LaunchDaemon Creation or Modification followed by Loading (#698)

2020-12-08 16:04:34 +01:00

persistence_docker_shortcuts_plist_modification.toml

[New Rule] Persistence via Docker Shortcut Modification (#733)

2021-01-26 08:38:38 +01:00

persistence_emond_rules_file_creation.toml

[New Rule] 2 Rules for Persistence via Emond (#832)

2021-01-29 09:16:27 +01:00

persistence_emond_rules_process_execution.toml

[New Rule] 2 Rules for Persistence via Emond (#832)

2021-01-29 09:16:27 +01:00

persistence_folder_action_scripts_runtime.toml

[New Rule] Persistence via Folder Action Script (#685)

2020-12-08 11:51:52 +01:00

persistence_login_logout_hooks_defaults.toml

[New Rule] Persistence via Login and/or Logout Hooks (#683)

2020-12-08 12:09:36 +01:00

persistence_loginwindow_plist_modification.toml

[New Rule] Potential Persistence via Login Hook (#900)

2021-01-26 08:35:16 +01:00

privilege_escalation_explicit_creds_via_apple_scripting.toml

[New Rule] Execution with Explicit Credentials via Apple Scripting (#689)

2020-12-08 11:57:52 +01:00