sigma-rules

Files

T

Colson Wilhoit c915b9959d [Tuning] MacOS Comprehensive Detection Rule Tuning (#3435 )

* Update to use new data source

* Exclude FPs

* Update logic

* Exclude FPs

* Update to match ER logic

* Exclude FP

* Update to match endpoint rule and reduce FPs

* Update logic to reduce FPs

* Update logic to reduce FPs

* Exclude FPs

* Update logic to remove FPs

* Update logic to reduce FPs

* Update logic and min stack version to reduce FPs

* Exclude FP

* Remove FPs

* Update logic and min stack to reduce FPs

* Exclude FPs

* Update logic and min stack to exclude FPs

* Update logic and min stack to exclude FPs

* Update logic to be more efficient

* Update logic

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/defense_evasion_modify_environment_launchctl.toml

* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update rules/macos/execution_installer_package_spawned_network_event.toml

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/credential_access_credentials_keychains.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/persistence_loginwindow_plist_modification.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

* Fix

* Fix

* Fix

* Update min stack comments

* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml

* Update rules/macos/credential_access_systemkey_dumping.toml

* Update rules/macos/discovery_users_domain_built_in_commands.toml

* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

* Remove field

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 1fb58e1b61)