From c03a6967624c865b051442e087dea682bd46c05f Mon Sep 17 00:00:00 2001
From: Alejandro Ortuno <alejandro.ortuno@auth0.com>
Date: Tue, 13 Oct 2020 11:00:06 +0200
Subject: [PATCH] additional modifications on commands and process names

---
 rules/linux/lnx_local_groups.yml   |  4 ++--
 rules/linux/macos_local_groups.yml | 16 +++++++++-------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml
index 04cd384c..7bdb042a 100644
--- a/rules/linux/lnx_local_groups.yml
+++ b/rules/linux/lnx_local_groups.yml
@@ -12,10 +12,10 @@ logsource:
 detection:
   selection_1:
     ProcessName|endswith:
-      - '*/groups'
+      - '/groups'
   selection_2:
     ProcessName|endswith:
-      - '*/cat'
+      - '/cat'
     CommandLine|contains:
       - '/etc/group'
   condition: 1 of them
diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml
index a456e13a..3441c43d 100644
--- a/rules/linux/macos_local_groups.yml
+++ b/rules/linux/macos_local_groups.yml
@@ -12,19 +12,21 @@ logsource:
 detection:
   selection_1:
     ProcessName|endswith:
-      - '*/dscacheutil'
-    CommandLine|contains:
-      - '-q group'
+      - '/dscacheutil'
+    CommandLine|contains|all:
+      - '-q'
+      - 'group'
   selection_2:
     ProcessName|endswith:
-      - '*/cat'
+      - '/cat'
     CommandLine|contains:
       - '/etc/group'
   selection_3:
     ProcessName|endswith:
-      - '*/dscl'
-    CommandLine|contains:
-      - '. -list /groups'
+      - '/dscl'
+    CommandLine|contains|all:
+      - '-list'
+      - '/groups'
   condition: 1 of them
 falsepositives:
   - Legitimate administration activities