Closed pratinavchandra closed 5 months ago
Thanks for the contribution @pratinavchandra Unfortunately you can't claim authorship of a rule for just fixing a small typo. You will be credited in the release section in the coming days
Thanks :)
Oh okay! In my view, I didn't think of it as just a typo, I thought of it as a logical error in which command line option to detect. I understand though :) Thanks!
Summary of the Pull Request
Updating rule proc_creation_macos_xattr_gatekeeper_bypass.yml
The current rule checks for the wrong option. The actual option that deletes the attribute is
-d
The current rule will miss cases where the quarantine attribute is removed using only the-d
option.xattr -d com.apple.quarantine FILE
Checking for only the
-d
option also covers when attributes are removed recursively usingxattr -d -r com.apple.quarantine /path/
man page for xattr:
Changelog
update: Gatekeeper Bypass via Xattr - Update command line flag
Example Log Event
Fixed Issues
SigmaHQ Rule Creation Conventions