Potential Discovery Activity Using Find - MacOS

Detects usage of "find" binary in a suspicious manner to perform discovery

Sigma rule (View on GitHub)

 1title: Potential Discovery Activity Using Find - MacOS
 2id: 85de3a19-b675-4a51-bfc6-b11a5186c971
 3related:
 4    - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
 5      type: similar
 6status: test
 7description: Detects usage of "find" binary in a suspicious manner to perform discovery
 8references:
 9    - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-12-28
12tags:
13    - attack.discovery
14    - attack.t1083
15logsource:
16    category: process_creation
17    product: macos
18detection:
19    selection:
20        Image|endswith: '/find'
21        CommandLine|contains:
22            - '-perm -4000'
23            - '-perm -2000'
24            - '-perm 0777'
25            - '-perm -222'
26            - '-perm -o w'
27            - '-perm -o x'
28            - '-perm -u=s'
29            - '-perm -g=s'
30    condition: selection
31falsepositives:
32    - Unknown
33level: medium

References

Related rules

to-top