additional modifications on commands and process names

2024-11-07 01:45:21 +00:00 · 2020-10-13 11:00:06 +02:00 · 2020-10-13 11:00:06 +02:00 · c03a696762
commit c03a696762
parent d17faf8234
2 changed files with 11 additions and 9 deletions
--- a/rules/linux/lnx_local_groups.yml
+++ b/rules/linux/lnx_local_groups.yml
@ -12,10 +12,10 @@ logsource:
 detection:
  selection_1:
    ProcessName|endswith:
-      - '*/groups'
+      - '/groups'
  selection_2:
    ProcessName|endswith:
-      - '*/cat'
+      - '/cat'
    CommandLine|contains:
      - '/etc/group'
  condition: 1 of them
--- a/rules/linux/macos_local_groups.yml
+++ b/rules/linux/macos_local_groups.yml
@ -12,19 +12,21 @@ logsource:
 detection:
  selection_1:
    ProcessName|endswith:
-      - '*/dscacheutil'
-    CommandLine|contains:
-      - '-q group'
+      - '/dscacheutil'
+    CommandLine|contains|all:
+      - '-q'
+      - 'group'
  selection_2:
    ProcessName|endswith:
-      - '*/cat'
+      - '/cat'
    CommandLine|contains:
      - '/etc/group'
  selection_3:
    ProcessName|endswith:
-      - '*/dscl'
-    CommandLine|contains:
-      - '. -list /groups'
+      - '/dscl'
+    CommandLine|contains|all:
+      - '-list'
+      - '/groups'
  condition: 1 of them
 falsepositives:
  - Legitimate administration activities