valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 17:35:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update syntax a bit to re-run the test

Browse Source
This commit is contained in:
yugoslavskiy 2020-10-20 17:31:00 +02:00 committed by GitHub
parent bf8426d71b
commit 585770faa3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
rules/linux/macos_startup_items.yml
View File

@ -11,11 +11,9 @@ logsource:
product: macos
detection:
selection_1:
TargetFilename|contains:
- '/Library/StartupItems/'
TargetFilename|contains: '/Library/StartupItems/'
selection_2:
TargetFilename|endswith:
- '.plist'
TargetFilename|endswith: '.plist'
condition: selection_1 and selection_2
falsepositives:
- Legitimate administration activities
@ -24,4 +22,3 @@ tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1037.005