The corresponding prefix has been added to all rules for Mac OS (#434)

* The corresponding prefix has been added to all rules for Mac OS * small fix
Security-Experts-Community · Nov 8, 2024 · 8d044b6 · 8d044b6
1 parent 1080888
commit 8d044b6
Show file tree

Hide file tree

Showing 49 changed files with 68 additions and 65 deletions.
diff --git a/...open_package/correlation_rules/mitre_attck_defense_evasion/DirtyNIB/tests/test_conds_1.tc b/...open_package/correlation_rules/mitre_attck_defense_evasion/DirtyNIB/tests/test_conds_1.tc
diff --git a/...n_rules/mitre_attck_defense_evasion/Hidden_File_or_Folder_Execution/tests/test_conds_1.tc b/...n_rules/mitre_attck_defense_evasion/Hidden_File_or_Folder_Execution/tests/test_conds_1.tc
diff --git a/...efense_evasion/DirtyNIB/i18n/i18n_en.yaml → ..._evasion/MacOS_DirtyNIB/i18n/i18n_en.yaml b/...efense_evasion/DirtyNIB/i18n/i18n_en.yaml → ..._evasion/MacOS_DirtyNIB/i18n/i18n_en.yaml
@@ -1,4 +1,4 @@
 Description: 'The application {subject.process.name } launched with a potentially malicious file {object.fullpath}'
 EventDescriptions:
-    - LocalizationId: 'corrname_DirtyNIB'
+    - LocalizationId: 'corrname_MacOS_DirtyNIB'
       EventDescription: 'correlation_name = "DirtyNIB"'
diff --git a/...efense_evasion/DirtyNIB/i18n/i18n_ru.yaml → ..._evasion/MacOS_DirtyNIB/i18n/i18n_ru.yaml b/...efense_evasion/DirtyNIB/i18n/i18n_ru.yaml → ..._evasion/MacOS_DirtyNIB/i18n/i18n_ru.yaml
@@ -1,4 +1,4 @@
 Description: 'Приложение {subject.process.name} запущено с потенциально вредоносным файлом {object.fullpath}'
 EventDescriptions:
-    - LocalizationId: 'corrname_DirtyNIB'
+    - LocalizationId: 'corrname_MacOS_DirtyNIB'
       EventDescription: 'correlation_name = "DirtyNIB"'
diff --git a/...ck_defense_evasion/DirtyNIB/metainfo.yaml → ...ense_evasion/MacOS_DirtyNIB/metainfo.yaml b/...ck_defense_evasion/DirtyNIB/metainfo.yaml → ...ense_evasion/MacOS_DirtyNIB/metainfo.yaml
@@ -1,7 +1,7 @@
-ContentAutoName: DirtyNIB
+ContentAutoName: MacOS_DirtyNIB
 ExpertContext:
     Created: 24.06.2024
-    Updated: 25.06.2024
+    Updated: 30.07.2024
     KnowledgeHolders:
         - d3f0x0 (Vadim Varganov)
     Usecases: []
@@ -22,5 +22,5 @@ ContentRelations:
             defense-evasion:
                 - T1574
 EventDescriptions:
-    - Criteria: correlation_name = "DirtyNIB"
-      LocalizationId: corrname_DirtyNIB
+    - Criteria: correlation_name = "MacOS_DirtyNIB"
+      LocalizationId: corrname_MacOS_DirtyNIB
diff --git a/...re_attck_defense_evasion/DirtyNIB/rule.co → ...ck_defense_evasion/MacOS_DirtyNIB/rule.co b/...re_attck_defense_evasion/DirtyNIB/rule.co → ...ck_defense_evasion/MacOS_DirtyNIB/rule.co
@@ -2,7 +2,7 @@ event Create_dirty_nib:
     key:
         event_src.host, datafield1
     filter {
-        correlation_name == "Subrule_DirtyNIB"
+        correlation_name == "MacOS_Subrule_DirtyNIB"
     } 
 
 event Execute_vuln_app:
@@ -13,7 +13,7 @@ event Execute_vuln_app:
         and id == "PT_Positive_Technologies_XDR_es_logger_process_execution"
     } 
 
-rule DirtyNIB: (Create_dirty_nib -> Execute_vuln_app) timer 5m
+rule MacOS_DirtyNIB: (Create_dirty_nib -> Execute_vuln_app) timer 5m
 
 on Create_dirty_nib {
     $object = object

diff --git a/..._evasion/DirtyNIB/tests/raw_events_1.json → ...on/MacOS_DirtyNIB/tests/raw_events_1.json b/..._evasion/DirtyNIB/tests/raw_events_1.json → ...on/MacOS_DirtyNIB/tests/raw_events_1.json
diff --git a/..._defense_evasion/DirtyNIB/tests/test_1.sc → ...se_evasion/MacOS_DirtyNIB/tests/test_1.sc b/..._defense_evasion/DirtyNIB/tests/test_1.sc → ...se_evasion/MacOS_DirtyNIB/tests/test_1.sc
@@ -1,5 +1,8 @@
 # Здесь укажи какие нормализованные события (одно или несколько) ты подаешь на вход правилу корреляции.
 # События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку.
 
+
+# Здесь укажи какие нормализованные события (одно или несколько) ты подаешь на вход правилу корреляции.
+# События отделяются друг от друга символом новой строки. Каждое их них должно быть записано в строку.
 # Тут будет твой тест. В секции expect укажи сколько и каких корреляционных событий ты ожидаешь
-expect 1 {"correlation_name":"DirtyNIB"}
+expect 1 {"correlation_name":"MacOS_DirtyNIB"}
diff --git a/...ackage/correlation_rules/mitre_attck_defense_evasion/MacOS_DirtyNIB/tests/test_conds_1.tc b/...ackage/correlation_rules/mitre_attck_defense_evasion/MacOS_DirtyNIB/tests/test_conds_1.tc
@@ -0,0 +1,2 @@
+expect 1 {"category.generic":"Attack","category.high":"Defense Evasion","correlation_name":"MacOS_DirtyNIB","correlation_type":"incident","event_src.host":"127.0.0.1","importance":"medium","incident.aggregation.key":"MacOS_DirtyNIB|127.0.0.1|Freeform","incident.aggregation.timeout":7200,"incident.category":"SoftwareSuspiciousActivity","incident.severity":"medium","object":"file_object","object.fullpath":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/CRLAboutPanel.nib","object.name":"CRLAboutPanel.nib","object.path":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/","subject":"process","subject.account.id":"501","subject.account.session_id":"1","subject.process.cmdline":"/private/tmp/Freeform.app/Contents/MacOS/Freeform","subject.process.cwd":"/","subject.process.fullpath":"/private/tmp/Freeform.app/Contents/MacOS/Freeform","subject.process.hash":"B377F3EEBCAB61FFED11F292E6FF2BC8B0180C8A","subject.process.id":"2904","subject.process.name":"Freeform","subject.process.parent.id":"1","subject.process.path":"/private/tmp/Freeform.app/Contents/MacOS/"}
+expect 1 {"correlation_name":"Subrule_MacOS_DirtyNIB","correlation_type":"subrule","event_src.host":"127.0.0.1","importance":"low","object":"file_object","object.fullpath":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/CRLAboutPanel.nib","object.name":"CRLAboutPanel.nib","object.path":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/","subject":"process","subject.account.id":"501","subject.account.session_id":"450","subject.process.fullpath":"/bin/cp","subject.process.hash":"UNKNOWN:72FAD644EC24C0FB99080CCFBD8C0F5EE8245B04","subject.process.id":"2900","subject.process.name":"cp","subject.process.parent.id":"456","subject.process.path":"/bin/"}
diff --git a/...ile_or_Folder_Execution/i18n/i18n_en.yaml → ...ile_or_Folder_Execution/i18n/i18n_en.yaml b/...ile_or_Folder_Execution/i18n/i18n_en.yaml → ...ile_or_Folder_Execution/i18n/i18n_en.yaml
@@ -1,4 +1,4 @@
 Description: 'The process started from a hidden folder'
 EventDescriptions:
-    - LocalizationId: 'corrname_Hidden_File_or_Folder_Execution'
+    - LocalizationId: 'corrname_MacOS_Hidden_File_or_Folder_Execution'
       EventDescription: 'The {object.process.cmdline} process has been started on the {event_src.host} host. It is possible that there are hidden directories or files in the specified path. This could indicate an attempt to bypass security measures'
diff --git a/...ile_or_Folder_Execution/i18n/i18n_ru.yaml → ...ile_or_Folder_Execution/i18n/i18n_ru.yaml b/...ile_or_Folder_Execution/i18n/i18n_ru.yaml → ...ile_or_Folder_Execution/i18n/i18n_ru.yaml
@@ -1,4 +1,4 @@
 Description: 'Запустился процесс из скрытой папки'
 EventDescriptions:
-    - LocalizationId: 'corrname_Hidden_File_or_Folder_Execution'
+    - LocalizationId: 'corrname_MacOS_Hidden_File_or_Folder_Execution'
       EventDescription: 'На узле {event_src.host} запустился процесс {object.process.cmdline}. Предположительно в пути пристуствуют скрытые папки или файлы. Это может свидетельствовать о попытке обхода механозмов защиты'
diff --git a/...en_File_or_Folder_Execution/metainfo.yaml → ...en_File_or_Folder_Execution/metainfo.yaml b/...en_File_or_Folder_Execution/metainfo.yaml → ...en_File_or_Folder_Execution/metainfo.yaml
@@ -1,7 +1,7 @@
-ContentAutoName: Hidden_File_or_Folder_Execution
+ContentAutoName: MacOS_Hidden_File_or_Folder_Execution
 ExpertContext:
     Created: 28.06.2024
-    Updated: 08.07.2024
+    Updated: 30.07.2024
     KnowledgeHolders:
         - Protenil
     Usecases:
@@ -18,5 +18,5 @@ ContentRelations:
             defense-evasion:
                 - T1564.001
 EventDescriptions:
-    - Criteria: correlation_name = "Hidden_File_or_Folder_Execution"
-      LocalizationId: corrname_Hidden_File_or_Folder_Execution
+    - Criteria: correlation_name = "MacOS_Hidden_File_or_Folder_Execution"
+      LocalizationId: corrname_MacOS_Hidden_File_or_Folder_Execution
diff --git a/...n/Hidden_File_or_Folder_Execution/rule.co → ...S_Hidden_File_or_Folder_Execution/rule.co b/...n/Hidden_File_or_Folder_Execution/rule.co → ...S_Hidden_File_or_Folder_Execution/rule.co
@@ -9,7 +9,7 @@ event HiddenFolderOrFileExecution:
         and regex(object.process.cmdline, "^\/.*?\/\.[^\.\/]", 0) != NULL
     }
 
-rule Hidden_File_or_Folder_Execution: HiddenFolderOrFileExecution
+rule MacOS_Hidden_File_or_Folder_Execution: HiddenFolderOrFileExecution
 
     on HiddenFolderOrFileExecution {
         $subject.account.name = subject.account.name

diff --git a/..._Folder_Execution/tests/raw_events_1.json → ..._Folder_Execution/tests/raw_events_1.json b/..._Folder_Execution/tests/raw_events_1.json → ..._Folder_Execution/tests/raw_events_1.json
diff --git a/...s/mitre_attck_defense_evasion/MacOS_Hidden_File_or_Folder_Execution/tests/test_conds_1.tc b/...s/mitre_attck_defense_evasion/MacOS_Hidden_File_or_Folder_Execution/tests/test_conds_1.tc
@@ -0,0 +1 @@
+expect 1 {"correlation_name":"MacOS_Hidden_File_or_Folder_Execution"}
diff --git a/...vasion/Subrule_DirtyNIB/i18n/i18n_en.yaml → .../MacOS_Subrule_DirtyNIB/i18n/i18n_en.yaml b/...vasion/Subrule_DirtyNIB/i18n/i18n_en.yaml → .../MacOS_Subrule_DirtyNIB/i18n/i18n_en.yaml
@@ -1,4 +1,4 @@
 Description: 'Added a file with the extension *.nib {object.fullpath}'
 EventDescriptions:
-    - LocalizationId: 'corrname_Subrule_DirtyNIB'
+    - LocalizationId: 'corrname_MacOS_Subrule_DirtyNIB'
       EventDescription: 'correlation_name = "Subrule_DirtyNIB"'
diff --git a/...vasion/Subrule_DirtyNIB/i18n/i18n_ru.yaml → .../MacOS_Subrule_DirtyNIB/i18n/i18n_ru.yaml b/...vasion/Subrule_DirtyNIB/i18n/i18n_ru.yaml → .../MacOS_Subrule_DirtyNIB/i18n/i18n_ru.yaml
@@ -1,4 +1,4 @@
 Description: 'Добавлен файл с расширением *.nib {object.fullpath}'
 EventDescriptions:
-    - LocalizationId: 'corrname_Subrule_DirtyNIB'
+    - LocalizationId: 'corrname_MacOS_Subrule_DirtyNIB'
       EventDescription: 'correlation_name = "Subrule_DirtyNIB"'
diff --git a/...se_evasion/Subrule_DirtyNIB/metainfo.yaml → ...sion/MacOS_Subrule_DirtyNIB/metainfo.yaml b/...se_evasion/Subrule_DirtyNIB/metainfo.yaml → ...sion/MacOS_Subrule_DirtyNIB/metainfo.yaml
@@ -1,7 +1,7 @@
-ContentAutoName: Subrule_DirtyNIB
+ContentAutoName: MacOS_Subrule_DirtyNIB
 ExpertContext:
     Created: 25.06.2024
-    Updated: 25.06.2024
+    Updated: 30.07.2024
     KnowledgeHolders:
         - d3f0x0 (Vadim Varganov)
     Usecases:
@@ -16,5 +16,5 @@ ExpertContext:
               - 33
 ObjectId: SEC-CR-537667857
 EventDescriptions:
-    - Criteria: correlation_name = "Subrule_DirtyNIB"
-      LocalizationId: corrname_Subrule_DirtyNIB
+    - Criteria: correlation_name = "MacOS_Subrule_DirtyNIB"
+      LocalizationId: corrname_MacOS_Subrule_DirtyNIB
diff --git a/..._defense_evasion/Subrule_DirtyNIB/rule.co → ...se_evasion/MacOS_Subrule_DirtyNIB/rule.co b/..._defense_evasion/Subrule_DirtyNIB/rule.co → ...se_evasion/MacOS_Subrule_DirtyNIB/rule.co
@@ -8,7 +8,7 @@ event Writing_nib_to_exctract_app:
         and match(object.path,"*/Contents/Resources/*")
     }
 
-rule Subrule_DirtyNIB: Writing_nib_to_exctract_app
+rule MacOS_Subrule_DirtyNIB: Writing_nib_to_exctract_app
 
 on Writing_nib_to_exctract_app {
     $event_src.ip = event_src.ip

diff --git a/.../Subrule_DirtyNIB/tests/raw_events_1.json → ..._Subrule_DirtyNIB/tests/raw_events_1.json b/.../Subrule_DirtyNIB/tests/raw_events_1.json → ..._Subrule_DirtyNIB/tests/raw_events_1.json
diff --git a/...orrelation_rules/mitre_attck_defense_evasion/MacOS_Subrule_DirtyNIB/tests/test_conds_1.tc b/...orrelation_rules/mitre_attck_defense_evasion/MacOS_Subrule_DirtyNIB/tests/test_conds_1.tc
@@ -0,0 +1,2 @@
+# Successfull test
+expect 1 {"action":"modify","correlation_name":"MacOS_Subrule_DirtyNIB","correlation_type":"subrule","datafield1":"Freeform","importance":"low","object":"file_object","object.fullpath":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/CRLAboutPanel.nib","object.name":"CRLAboutPanel.nib","object.path":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/","status":"success","subject":"process","subject.account.id":"501","subject.account.session_id":"450","subject.process.fullpath":"/bin/cp","subject.process.hash":"UNKNOWN:72FAD644EC24C0FB99080CCFBD8C0F5EE8245B04","subject.process.id":"2900","subject.process.name":"cp","subject.process.parent.id":"456","subject.process.path":"/bin/"}
diff --git a/...kage/correlation_rules/mitre_attck_defense_evasion/Subrule_DirtyNIB/tests/test_conds_1.tc b/...kage/correlation_rules/mitre_attck_defense_evasion/Subrule_DirtyNIB/tests/test_conds_1.tc
diff --git a/...elation_rules/mitre_attck_discovery/Credentials_Validation_via_Dscl/tests/test_conds_1.tc b/...elation_rules/mitre_attck_discovery/Credentials_Validation_via_Dscl/tests/test_conds_1.tc
diff --git a/...elation_rules/mitre_attck_discovery/Credentials_Validation_via_Dscl/tests/test_conds_2.tc b/...elation_rules/mitre_attck_discovery/Credentials_Validation_via_Dscl/tests/test_conds_2.tc
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		expect 1 {"category.generic":"Attack","category.high":"Defense Evasion","correlation_name":"MacOS_DirtyNIB","correlation_type":"incident","event_src.host":"127.0.0.1","importance":"medium","incident.aggregation.key":"MacOS_DirtyNIB\|127.0.0.1\|Freeform","incident.aggregation.timeout":7200,"incident.category":"SoftwareSuspiciousActivity","incident.severity":"medium","object":"file_object","object.fullpath":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/CRLAboutPanel.nib","object.name":"CRLAboutPanel.nib","object.path":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/","subject":"process","subject.account.id":"501","subject.account.session_id":"1","subject.process.cmdline":"/private/tmp/Freeform.app/Contents/MacOS/Freeform","subject.process.cwd":"/","subject.process.fullpath":"/private/tmp/Freeform.app/Contents/MacOS/Freeform","subject.process.hash":"B377F3EEBCAB61FFED11F292E6FF2BC8B0180C8A","subject.process.id":"2904","subject.process.name":"Freeform","subject.process.parent.id":"1","subject.process.path":"/private/tmp/Freeform.app/Contents/MacOS/"}
		expect 1 {"correlation_name":"Subrule_MacOS_DirtyNIB","correlation_type":"subrule","event_src.host":"127.0.0.1","importance":"low","object":"file_object","object.fullpath":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/CRLAboutPanel.nib","object.name":"CRLAboutPanel.nib","object.path":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/","subject":"process","subject.account.id":"501","subject.account.session_id":"450","subject.process.fullpath":"/bin/cp","subject.process.hash":"UNKNOWN:72FAD644EC24C0FB99080CCFBD8C0F5EE8245B04","subject.process.id":"2900","subject.process.name":"cp","subject.process.parent.id":"456","subject.process.path":"/bin/"}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		expect 1 {"correlation_name":"MacOS_Hidden_File_or_Folder_Execution"}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Successfull test
		expect 1 {"action":"modify","correlation_name":"MacOS_Subrule_DirtyNIB","correlation_type":"subrule","datafield1":"Freeform","importance":"low","object":"file_object","object.fullpath":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/CRLAboutPanel.nib","object.name":"CRLAboutPanel.nib","object.path":"/private/tmp/Freeform.app/Contents/Resources/Base.lproj/","status":"success","subject":"process","subject.account.id":"501","subject.account.session_id":"450","subject.process.fullpath":"/bin/cp","subject.process.hash":"UNKNOWN:72FAD644EC24C0FB99080CCFBD8C0F5EE8245B04","subject.process.id":"2900","subject.process.name":"cp","subject.process.parent.id":"456","subject.process.path":"/bin/"}