Update proc_creation_macos_xattr_gatekeeper_bypass.yml

pratinavchandra commented 5 months ago

Summary of the Pull Request

Updating rule proc_creation_macos_xattr_gatekeeper_bypass.yml

The current rule checks for the wrong option. The actual option that deletes the attribute is -d The current rule will miss cases where the quarantine attribute is removed using only the -d option. xattr -d com.apple.quarantine FILE

Checking for only the -d option also covers when attributes are removed recursively using xattr -d -r com.apple.quarantine /path/

man page for xattr:

Changelog

update: Gatekeeper Bypass via Xattr - Update command line flag

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

nasbench commented 5 months ago

Thanks for the contribution @pratinavchandra Unfortunately you can't claim authorship of a rule for just fixing a small typo. You will be credited in the release section in the coming days

Thanks :)

pratinavchandra commented 5 months ago

Oh okay! In my view, I didn't think of it as just a typo, I thought of it as a logical error in which command line option to detect. I understand though :) Thanks!

SigmaHQ / sigma