valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

additional modifications on commands and process names

Browse Source
This commit is contained in:
Alejandro Ortuno 2020-10-13 11:00:06 +02:00
parent d17faf8234
commit c03a696762
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
rules/linux/lnx_local_groups.yml
View File

@ -12,10 +12,10 @@ logsource:
detection: detection:
selection_1: selection_1:
ProcessName|endswith: ProcessName|endswith:
- '*/groups' - '/groups'
selection_2: selection_2:
ProcessName|endswith: ProcessName|endswith:
- '*/cat' - '/cat'
CommandLine|contains: CommandLine|contains:
- '/etc/group' - '/etc/group'
condition: 1 of them condition: 1 of them

16
rules/linux/macos_local_groups.yml
View File

@ -12,19 +12,21 @@ logsource:
detection: detection:
selection_1: selection_1:
ProcessName|endswith: ProcessName|endswith:
- '*/dscacheutil' - '/dscacheutil'
CommandLine|contains: CommandLine|contains|all:
- '-q group' - '-q'
- 'group'
selection_2: selection_2:
ProcessName|endswith: ProcessName|endswith:
- '*/cat' - '/cat'
CommandLine|contains: CommandLine|contains:
- '/etc/group' - '/etc/group'
selection_3: selection_3:
ProcessName|endswith: ProcessName|endswith:
- '*/dscl' - '/dscl'
CommandLine|contains: CommandLine|contains|all:
- '. -list /groups' - '-list'
- '/groups'
condition: 1 of them condition: 1 of them
falsepositives: falsepositives:
- Legitimate administration activities - Legitimate administration activities