sigma-rules/rules/macos at cfd42babd1843a8ce69151bafc32c0660b86f064 - sigma-rules - GreySec Git

security-tools/sigma-rules

Files

T

History

Samirbous cfd42babd1 [New Rule] Enumeration of Users or Groups using Built-In Commands (#848 )

* [New Rule] Enumeration of Users or Groups using Built-In Commands

* Update discovery_users_domain_built_in_commands.toml

* added search option

* excluded some noisy processes

* Update discovery_users_domain_built_in_commands.toml

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

2021-02-09 10:50:39 +01:00

..

credential_access_access_to_browser_credentials_procargs.toml

[New Rule] Access to Browsers Credential Files (#789 )

2021-02-04 16:34:49 +01:00

credential_access_credentials_keychains.toml

[Rule Tuning] Compression of Keychain Credentials Directories (#787 )

2021-02-08 17:31:04 +01:00

credential_access_dumping_keychain_security.toml

[New Rule] Dumping of Keychain Content via Security Command (#785 )

2021-01-28 19:50:41 +01:00

credential_access_kerberosdump_kcc.toml

Refresh beats and ecs schemas and default to use latest to validate (#570 )

2020-12-01 13:24:20 -09:00

credential_access_keychain_pwd_retrieval_security_cmd.toml

[New Rule] Keychain Password Retrieval via Commandline (#811 )

2021-02-08 22:31:16 +01:00

credential_access_mitm_localhost_webproxy.toml

[New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805 )

2021-01-29 18:58:14 +01:00

credential_access_potential_ssh_bruteforce.toml

[New Rule] Potential SSH Bruteforce Detected (#538 )

2020-12-04 17:18:03 +01:00

credential_access_promt_for_pwd_via_osascript.toml

[Rule Tuning] Prompt for Credentials with OSASCRIPT (#759 )

2021-02-08 16:42:23 +01:00

credential_access_systemkey_dumping.toml

[New Rule] Access to SystemKey via Hexdump (#815 )

2021-02-08 23:02:02 +01:00

defense_evasion_apple_softupdates_modification.toml

[New Rule] SoftwareUpdate Preferences Modification (#869 )

2021-02-03 18:12:37 +01:00

defense_evasion_attempt_del_quarantine_attrib.toml

adjust risk score (#938 )

2021-02-08 13:15:42 -05:00

defense_evasion_attempt_to_disable_gatekeeper.toml

[New Rule] Attempt to Disable Gatekeeper (#841 )

2021-02-08 20:25:04 -07:00

defense_evasion_install_root_certificate.toml

[New Rule] Attempt to Install Root Certificate (#850 )

2021-02-08 22:49:35 +01:00

defense_evasion_modify_environment_launchctl.toml

[New Rule] Environment Variable Modification using Launchctl (#865 )

2021-01-26 21:41:30 +01:00

defense_evasion_privacy_controls_tcc_database_modification.toml

[New Rule] Potential MacOS Privacy Controls Bypass via TCCDB Modification (#765 )

2021-02-08 16:48:53 +01:00

defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

[New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy (#830 )

2021-02-03 17:54:15 +01:00

defense_evasion_safari_config_change.toml

[New Rule] Safari Settings Modification using Defaults Command (#861 )

2021-02-04 16:38:56 +01:00

defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

[New Rule] Potential Office Sandbox Evasion via ZIP File (#834 )

2021-02-04 16:47:58 +01:00

defense_evasion_tcc_bypass_mounted_apfs_access.toml

[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775 )

2021-01-26 08:50:28 +01:00

defense_evasion_unload_endpointsecurity_kext.toml

[New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension (#807 )

2021-02-08 22:22:16 +01:00

discovery_users_domain_built_in_commands.toml

[New Rule] Enumeration of Users or Groups using Built-In Commands (#848 )

2021-02-09 10:50:39 +01:00

execution_defense_evasion_electron_app_childproc_node_js.toml

[New Rule] Execution via Electron Child Process Node.js Module (#817 )

2021-01-29 19:06:49 +01:00

execution_initial_access_suspicious_browser_childproc.toml

[New Rule] Suspicious Browser Child Process (#767 )

2021-02-08 15:06:18 +01:00

execution_script_via_automator_workflows.toml

[New Rule] Script Execution via Automator Workflows (#763 )

2021-01-26 09:07:39 +01:00

execution_scripting_osascript_exec_followed_by_netcon.toml

[New Rule] Apple Script Execution followed by Network Connection (#681 )

2020-12-08 12:25:03 +01:00

execution_shell_execution_via_apple_scripting.toml

[New Rule] Shell Execution via Apple Scripting (#687 )

2020-12-08 11:45:39 +01:00

initial_access_suspicious_mac_ms_office_child_process.toml

Update revoked technique

2021-01-28 11:03:17 -09:00

lateral_movement_credential_access_kerberos_bifrostconsole.toml

[New Rule] Lateral Movement via Kerberos using Bifrost Console (#843 )

2021-02-08 22:34:54 +01:00

lateral_movement_remote_ssh_login_enabled.toml

[Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#783 )

2021-02-08 16:54:39 +01:00

lateral_movement_vpn_connection_attempt.toml

[New Rule] Virtual Private Network Connection Attempt (#912 )

2021-02-03 18:18:09 +01:00

persistence_account_creation_hide_at_logon.toml

[New Rule] Attempt to Create a Hidden Local Account (#799 )

2021-02-08 17:24:56 +01:00

persistence_creation_change_launch_agents_file.toml

[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 )

2020-12-18 12:46:16 -09:00

persistence_creation_hidden_login_item_osascript.toml

[New Rule] Creation Attempt of a Hidden Login Item via Apple Script (#801 )

2021-02-08 17:22:01 +01:00

persistence_creation_modif_launch_deamon_sequence.toml

[New Rule] LaunchDaemon Creation or Modification followed by Loading (#698 )

2020-12-08 16:04:34 +01:00

persistence_credential_access_authorization_plugin_creation.toml

[New Rule] Authorization Plugin Modification (#856 )

2021-02-08 23:14:25 +01:00

persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

[New Rule] Suspicious Launchd Hidden Child Process (#823 )

2021-02-08 22:43:21 +01:00

persistence_docker_shortcuts_plist_modification.toml

[New Rule] Persistence via Docker Shortcut Modification (#733 )

2021-01-26 08:38:38 +01:00

persistence_emond_rules_file_creation.toml

[New Rule] 2 Rules for Persistence via Emond (#832 )

2021-01-29 09:16:27 +01:00

persistence_emond_rules_process_execution.toml

[New Rule] 2 Rules for Persistence via Emond (#832 )

2021-01-29 09:16:27 +01:00

persistence_enable_root_account.toml

[New Rule] Attempt to Enable the Root Account (#792 )

2021-02-08 17:10:43 +01:00

persistence_evasion_hidden_launch_agent_deamon_creation.toml

[New Rule] Creation of a Hidden Launch Agent or Daemon (#797 )

2021-01-29 19:01:15 +01:00

persistence_finder_sync_plugin_pluginkit.toml

[New Rule] Finder Sync Plugin Enabled (#735 )

2021-02-08 23:08:49 +01:00

persistence_folder_action_scripts_runtime.toml

[New Rule] Persistence via Folder Action Script (#685 )

2020-12-08 11:51:52 +01:00

persistence_login_logout_hooks_defaults.toml

[New Rule] Persistence via Login and/or Logout Hooks (#683 )

2020-12-08 12:09:36 +01:00

persistence_loginwindow_plist_modification.toml

[New Rule] Potential Persistence via Login Hook (#900 )

2021-01-26 08:35:16 +01:00

persistence_modification_sublime_app_plugin_or_script.toml

[New Rule] Sublime Plugin or Application Script Modification (#761 )

2021-02-08 16:34:44 +01:00

persistence_periodic_tasks_file_mdofiy.toml

[New Rule] Potential Persistence via Periodic Tasks (#898 )

2021-02-03 18:15:25 +01:00

privilege_escalation_applescript_with_admin_privs.toml

[New Rule] Execution with Administrator Privileges via Apple Scripting (#777 )

2021-02-08 17:39:22 +01:00

privilege_escalation_explicit_creds_via_apple_scripting.toml

[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 )

2020-12-08 11:57:52 +01:00

privilege_escalation_local_user_added_to_admin.toml

[New Rule] Attempt to Add an Account to the Admin Group (#803 )

2021-01-29 19:03:17 +01:00