Skip to content

Commit

Permalink
Fix macos category
Browse files Browse the repository at this point in the history
  • Loading branch information
@frack113
frack113 committed Nov 11, 2021
1 parent 8b419b8 commit 735e5ea
Show file tree
Hide file tree
Showing 29 changed files with 6 additions and 5 deletions.
0 ...linux/macos/macos_emond_launch_daemon.yml → .../file_event/macos_emond_launch_daemon.yml
View file
File renamed without changes.
0 rules/linux/macos/macos_startup_items.yml → .../macos/file_event/macos_startup_items.yml
View file
File renamed without changes.
0 rules/linux/macos/macos_applescript.yml → ...os/process_creation/macos_applescript.yml
View file
File renamed without changes.
0 rules/linux/macos/macos_base64_decode.yml → .../process_creation/macos_base64_decode.yml
View file
File renamed without changes.
0 rules/linux/macos/macos_binary_padding.yml → ...process_creation/macos_binary_padding.yml
View file
File renamed without changes.
0 ...nux/macos/macos_change_file_time_attr.yml → ..._creation/macos_change_file_time_attr.yml
View file
File renamed without changes.
4 changes: 2 additions & 2 deletions ...s/linux/macos/macos_clear_system_logs.yml → ...cess_creation/macos_clear_system_logs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ status: experimental
description: Detects deletion of local audit logs
author: remotephone, oscd.community
date: 2020/10/11
modified: 2021/08/14
modified: 2021/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
logsource:
Expand All @@ -16,7 +16,7 @@ detection:
selection2:
CommandLine|contains: '/var/log'
selection3:
Commandline|contains|all:
CommandLine|contains|all:
- '/Users/'
- '/Library/Logs/'
condition: selection1 and (selection2 or selection3)
Expand Down
0 rules/linux/macos/macos_create_account.yml → ...process_creation/macos_create_account.yml
View file
File renamed without changes.
0 ...nux/macos/macos_create_hidden_account.yml → ..._creation/macos_create_hidden_account.yml
View file
File renamed without changes.
0 ...linux/macos/macos_creds_from_keychain.yml → ...ss_creation/macos_creds_from_keychain.yml
View file
File renamed without changes.
0 ...ux/macos/macos_disable_security_tools.yml → ...creation/macos_disable_security_tools.yml
View file
File renamed without changes.
0 ...os/macos_file_and_directory_discovery.yml → ...on/macos_file_and_directory_discovery.yml
View file
File renamed without changes.
0 .../linux/macos/macos_find_cred_in_files.yml → ...ess_creation/macos_find_cred_in_files.yml
View file
File renamed without changes.
5 changes: 3 additions & 2 deletions ...s/linux/macos/macos_gui_input_capture.yml → ...cess_creation/macos_gui_input_capture.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ status: experimental
description: Detects attempts to use system dialog prompts to capture user credentials
author: remotephone, oscd.community
date: 2020/10/13
modified: 2021/11/11
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md
- https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/
Expand All @@ -15,13 +16,13 @@ detection:
Image:
- '/usr/sbin/osascript'
selection2:
Commandline|contains|all:
CommandLine|contains|all:
- '-e'
- 'display'
- 'dialog'
- 'answer'
selection3:
Commandline|contains:
CommandLine|contains:
- 'admin'
- 'administrator'
- 'authenticate'
Expand Down
0 rules/linux/macos/macos_local_account.yml → .../process_creation/macos_local_account.yml
View file
File renamed without changes.
0 rules/linux/macos/macos_local_groups.yml → ...s/process_creation/macos_local_groups.yml
View file
File renamed without changes.
0 .../macos/macos_network_service_scanning.yml → ...eation/macos_network_service_scanning.yml
View file
File renamed without changes.
0 rules/linux/macos/macos_network_sniffing.yml → ...ocess_creation/macos_network_sniffing.yml
View file
File renamed without changes.
0 ...x/macos/macos_remote_system_discovery.yml → ...reation/macos_remote_system_discovery.yml
View file
File renamed without changes.
0 ...ux/macos/macos_schedule_task_job_cron.yml → ...creation/macos_schedule_task_job_cron.yml
View file
File renamed without changes.
0 rules/linux/macos/macos_screencapture.yml → .../process_creation/macos_screencapture.yml
View file
File renamed without changes.
0 ...cos/macos_security_software_discovery.yml → ...ion/macos_security_software_discovery.yml
View file
File renamed without changes.
0 ...ux/macos/macos_split_file_into_pieces.yml → ...creation/macos_split_file_into_pieces.yml
View file
File renamed without changes.
0 .../macos/macos_susp_histfile_operations.yml → ...eation/macos_susp_histfile_operations.yml
View file
File renamed without changes.
0 ...os_suspicious_macos_firmware_activity.yml → ...os_suspicious_macos_firmware_activity.yml
View file
File renamed without changes.
0 ..._system_network_connections_discovery.yml → ..._system_network_connections_discovery.yml
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion .../macos/macos_system_network_discovery.yml → ...eation/macos_system_network_discovery.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ detection:
- '/usr/sbin/arp'
selection2:
Image: '/usr/bin/defaults'
Commandline|contains|all:
CommandLine|contains|all:
- 'read'
- '/Library/Preferences/com.apple.alf'
condition: selection1 or selection2
Expand Down
0 ...ux/macos/macos_system_shutdown_reboot.yml → ...creation/macos_system_shutdown_reboot.yml
View file
File renamed without changes.
0 ...x/macos/macos_xattr_gatekeeper_bypass.yml → ...reation/macos_xattr_gatekeeper_bypass.yml
View file
File renamed without changes.

0 comments on commit 735e5ea

Please sign in to comment.