security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e2c860693c8d59d04e7bbfcda546347187c5a357
sigma-rules/rules/macos
T
History
Samirbous 4900c9a018 [New Rule] Potential Office Sandbox Evasion via ZIP File (#834) 
* [New Rule] Potential Office Sandbox Evasion via LaunchAgent ZIP File

* adjusted query to account for other autostart paths

* adjusted query and description

* Update defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

* Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* 2021!

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
2021-02-04 16:47:58 +01:00
..
credential_access_access_to_browser_credentials_procargs.toml
[New Rule] Access to Browsers Credential Files (#789)
2021-02-04 16:34:49 +01:00
credential_access_compress_credentials_keychains.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
credential_access_dumping_keychain_security.toml
[New Rule] Dumping of Keychain Content via Security Command (#785)
2021-01-28 19:50:41 +01:00
credential_access_kerberosdump_kcc.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
credential_access_mitm_localhost_webproxy.toml
[New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805)
2021-01-29 18:58:14 +01:00
credential_access_potential_ssh_bruteforce.toml
[New Rule] Potential SSH Bruteforce Detected (#538)
2020-12-04 17:18:03 +01:00
credential_access_promt_for_pwd_via_osascript.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_apple_softupdates_modification.toml
[New Rule] SoftwareUpdate Preferences Modification (#869)
2021-02-03 18:12:37 +01:00
defense_evasion_attempt_del_quarantine_attrib.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
defense_evasion_modify_environment_launchctl.toml
[New Rule] Environment Variable Modification using Launchctl (#865)
2021-01-26 21:41:30 +01:00
defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
[New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy (#830)
2021-02-03 17:54:15 +01:00
defense_evasion_safari_config_change.toml
[New Rule] Safari Settings Modification using Defaults Command (#861)
2021-02-04 16:38:56 +01:00
defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
[New Rule] Potential Office Sandbox Evasion via ZIP File (#834)
2021-02-04 16:47:58 +01:00
defense_evasion_tcc_bypass_mounted_apfs_access.toml
[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775)
2021-01-26 08:50:28 +01:00
execution_defense_evasion_electron_app_childproc_node_js.toml
[New Rule] Execution via Electron Child Process Node.js Module (#817)
2021-01-29 19:06:49 +01:00
execution_script_via_automator_workflows.toml
[New Rule] Script Execution via Automator Workflows (#763)
2021-01-26 09:07:39 +01:00
execution_scripting_osascript_exec_followed_by_netcon.toml
[New Rule] Apple Script Execution followed by Network Connection (#681)
2020-12-08 12:25:03 +01:00
execution_shell_execution_via_apple_scripting.toml
[New Rule] Shell Execution via Apple Scripting (#687)
2020-12-08 11:45:39 +01:00
initial_access_suspicious_mac_ms_office_child_process.toml
Update revoked technique
2021-01-28 11:03:17 -09:00
lateral_movement_remote_ssh_login_enabled.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
lateral_movement_vpn_connection_attempt.toml
[New Rule] Virtual Private Network Connection Attempt (#912)
2021-02-03 18:18:09 +01:00
persistence_creation_change_launch_agents_file.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
persistence_creation_modif_launch_deamon_sequence.toml
[New Rule] LaunchDaemon Creation or Modification followed by Loading (#698)
2020-12-08 16:04:34 +01:00
persistence_docker_shortcuts_plist_modification.toml
[New Rule] Persistence via Docker Shortcut Modification (#733)
2021-01-26 08:38:38 +01:00
persistence_emond_rules_file_creation.toml
[New Rule] 2 Rules for Persistence via Emond (#832)
2021-01-29 09:16:27 +01:00
persistence_emond_rules_process_execution.toml
[New Rule] 2 Rules for Persistence via Emond (#832)
2021-01-29 09:16:27 +01:00
persistence_evasion_hidden_launch_agent_deamon_creation.toml
[New Rule] Creation of a Hidden Launch Agent or Daemon (#797)
2021-01-29 19:01:15 +01:00
persistence_folder_action_scripts_runtime.toml
[New Rule] Persistence via Folder Action Script (#685)
2020-12-08 11:51:52 +01:00
persistence_login_logout_hooks_defaults.toml
[New Rule] Persistence via Login and/or Logout Hooks (#683)
2020-12-08 12:09:36 +01:00
persistence_loginwindow_plist_modification.toml
[New Rule] Potential Persistence via Login Hook (#900)
2021-01-26 08:35:16 +01:00
persistence_periodic_tasks_file_mdofiy.toml
[New Rule] Potential Persistence via Periodic Tasks (#898)
2021-02-03 18:15:25 +01:00
privilege_escalation_explicit_creds_via_apple_scripting.toml
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689)
2020-12-08 11:57:52 +01:00
privilege_escalation_local_user_added_to_admin.toml
[New Rule] Attempt to Add an Account to the Admin Group (#803)
2021-01-29 19:03:17 +01:00