valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

updating search syntax, splitting process name and cmdline and adding category

Browse Source
This commit is contained in:
remotephone@gmail.com 2020-10-12 22:49:19 -05:00
parent 476a3c04d9
commit 89c8a589a5
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
rules/linux/macos_clear_system_logs.yml
View File

@ -8,12 +8,14 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md
logsource:
product: macos
category: process_creation
detection:
selection:
- ProcessName: 'rm'
CommandLine|contains:
- 'rm -rf /var/log'
- 'rm -rf /private/var/log'
- 'rm -rf /Users/*/Library/Logs/'
- '-rf /var/log'
- '-rf /private/var/log'
- '-rf /Users/*/Library/Logs/'
condition: selection
falsepositives:
- Legitimate administration activities