security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fdf9384e4d2da1256777a7a372c23a1091ef4d47
sigma-rules/rules/macos
T
History
Samirbous 326bebdebe [New Rule] Execution via Electron Child Process Node.js Module (#817) 
* [New Rule] Execution via Electron ChildProc Node.js Module

* relinted

* fixed TID and adjusted KQL for perf

* fixed kql

* Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
2021-01-29 19:06:49 +01:00
..
credential_access_compress_credentials_keychains.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
credential_access_dumping_keychain_security.toml
[New Rule] Dumping of Keychain Content via Security Command (#785)
2021-01-28 19:50:41 +01:00
credential_access_kerberosdump_kcc.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
credential_access_mitm_localhost_webproxy.toml
[New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805)
2021-01-29 18:58:14 +01:00
credential_access_potential_ssh_bruteforce.toml
[New Rule] Potential SSH Bruteforce Detected (#538)
2020-12-04 17:18:03 +01:00
credential_access_promt_for_pwd_via_osascript.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
defense_evasion_attempt_del_quarantine_attrib.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
defense_evasion_modify_environment_launchctl.toml
[New Rule] Environment Variable Modification using Launchctl (#865)
2021-01-26 21:41:30 +01:00
defense_evasion_tcc_bypass_mounted_apfs_access.toml
[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775)
2021-01-26 08:50:28 +01:00
execution_defense_evasion_electron_app_childproc_node_js.toml
[New Rule] Execution via Electron Child Process Node.js Module (#817)
2021-01-29 19:06:49 +01:00
execution_script_via_automator_workflows.toml
[New Rule] Script Execution via Automator Workflows (#763)
2021-01-26 09:07:39 +01:00
execution_scripting_osascript_exec_followed_by_netcon.toml
[New Rule] Apple Script Execution followed by Network Connection (#681)
2020-12-08 12:25:03 +01:00
execution_shell_execution_via_apple_scripting.toml
[New Rule] Shell Execution via Apple Scripting (#687)
2020-12-08 11:45:39 +01:00
initial_access_suspicious_mac_ms_office_child_process.toml
Update revoked technique
2021-01-28 11:03:17 -09:00
lateral_movement_remote_ssh_login_enabled.toml
Refresh beats and ecs schemas and default to use latest to validate (#570)
2020-12-01 13:24:20 -09:00
persistence_creation_change_launch_agents_file.toml
[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706)
2020-12-18 12:46:16 -09:00
persistence_creation_modif_launch_deamon_sequence.toml
[New Rule] LaunchDaemon Creation or Modification followed by Loading (#698)
2020-12-08 16:04:34 +01:00
persistence_docker_shortcuts_plist_modification.toml
[New Rule] Persistence via Docker Shortcut Modification (#733)
2021-01-26 08:38:38 +01:00
persistence_emond_rules_file_creation.toml
[New Rule] 2 Rules for Persistence via Emond (#832)
2021-01-29 09:16:27 +01:00
persistence_emond_rules_process_execution.toml
[New Rule] 2 Rules for Persistence via Emond (#832)
2021-01-29 09:16:27 +01:00
persistence_evasion_hidden_launch_agent_deamon_creation.toml
[New Rule] Creation of a Hidden Launch Agent or Daemon (#797)
2021-01-29 19:01:15 +01:00
persistence_folder_action_scripts_runtime.toml
[New Rule] Persistence via Folder Action Script (#685)
2020-12-08 11:51:52 +01:00
persistence_login_logout_hooks_defaults.toml
[New Rule] Persistence via Login and/or Logout Hooks (#683)
2020-12-08 12:09:36 +01:00
persistence_loginwindow_plist_modification.toml
[New Rule] Potential Persistence via Login Hook (#900)
2021-01-26 08:35:16 +01:00
privilege_escalation_explicit_creds_via_apple_scripting.toml
[New Rule] Execution with Explicit Credentials via Apple Scripting (#689)
2020-12-08 11:57:52 +01:00
privilege_escalation_local_user_added_to_admin.toml
[New Rule] Attempt to Add an Account to the Admin Group (#803)
2021-01-29 19:03:17 +01:00