Updated converted sigma rules for version version/7.3

config/uberAgent-ESA-am-sigma-high-macos.conf

@@ -7,42 +7,6 @@
 #    sigma convert -s -f conf -p uberagent-7.3.0 -O backend_version=7.3.0 -t uberagent /home/runner/work/uberAgent-config/uberAgent-config/build/sigma-high-macos >> uberAgent-ESA-am-sigma-high-macos.conf
 #
 
-[ThreatDetectionRule platform=MacOS]
-# Detects possible collection of data from the clipboard via execution of the osascript binary
-# Author: Sohan G (D4rkCiph3r)
-RuleId = 7794fa3c-edea-4cff-bec7-267dd4770fd7
-RuleName = Clipboard Data Collection Via OSAScript
-EventType = Process.Start
-Tag = proc-start-clipboard-data-collection-via-osascript
-RiskScore = 75
-Annotation = {"mitre_attack": ["T1115", "T1059.002"], "author": "Sohan G (D4rkCiph3r)"}
-Query = Process.CommandLine like r"%osascript%" and Process.CommandLine like r"% -e %" and Process.CommandLine like r"%clipboard%"
-
-
-[ThreatDetectionRule platform=MacOS]
-# Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
-# Author: Tim Rauch (rule), Elastic (idea)
-RuleId = f68c4a4f-19ef-4817-952c-50dce331f4b0
-RuleName = Potential WizardUpdate Malware Infection
-EventType = Process.Start
-Tag = proc-start-potential-wizardupdate-malware-infection
-RiskScore = 75
-Annotation = {"author": "Tim Rauch (rule), Elastic (idea)"}
-Query = Process.Path like r"%/sh" and Process.CommandLine like r"%=$(curl %" and Process.CommandLine like r"%eval%" or Process.Path like r"%/curl" and Process.CommandLine like r"%\_intermediate\_agent\_%"
-
-
-[ThreatDetectionRule platform=MacOS]
-# Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
-# Author: Igor Fits, Mikhail Larin, oscd.community
-RuleId = 95361ce5-c891-4b0a-87ca-e24607884a96
-RuleName = Binary Padding - MacOS
-EventType = Process.Start
-Tag = proc-start-binary-padding-macos
-RiskScore = 75
-Annotation = {"mitre_attack": ["T1027.001"], "author": "Igor Fits, Mikhail Larin, oscd.community"}
-Query = Process.Path like r"%/truncate" and Process.CommandLine like r"%-s +%" or Process.Path like r"%/dd" and (Process.CommandLine like r"%if=/dev/zero%" or Process.CommandLine like r"%if=/dev/random%" or Process.CommandLine like r"%if=/dev/urandom%")
-
-
 [ThreatDetectionRule platform=MacOS]
 # Detecting attempts to extract passwords with grep and laZagne
 # Author: Igor Fits, Mikhail Larin, oscd.community
@@ -68,40 +32,52 @@ Query = Process.CommandLine like r"%osascript%" and Process.CommandLine like r"%
 
 
 [ThreatDetectionRule platform=MacOS]
-# Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
-# Author: Joseliyo Sanchez, @Joseliyo_Jstnk
-RuleId = 09a910bf-f71f-4737-9c40-88880ba5913d
-RuleName = Potential Base64 Decoded From Images
+# Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
+# Author: Sohan G (D4rkCiph3r)
+RuleId = 69483748-1525-4a6c-95ca-90dc8d431b68
+RuleName = Suspicious Microsoft Office Child Process - MacOS
 EventType = Process.Start
-Tag = proc-start-potential-base64-decoded-from-images
+Tag = proc-start-suspicious-microsoft-office-child-process-macos
 RiskScore = 75
-Annotation = {"mitre_attack": ["T1140"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk"}
-Query = Process.Path like r"%/bash" and Process.CommandLine like r"%tail%" and Process.CommandLine like r"%-c%" and Process.CommandLine like r"%base64%" and Process.CommandLine like r"%-d%" and Process.CommandLine like r"%>%" and (Process.CommandLine like r"%.avif%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jfif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.pjp%" or Process.CommandLine like r"%.pjpeg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.svg%" or Process.CommandLine like r"%.webp%")
+Annotation = {"mitre_attack": ["T1059.002", "T1137.002", "T1204.002"], "author": "Sohan G (D4rkCiph3r)"}
+Query = (Parent.Path like r"%Microsoft Word%" or Parent.Path like r"%Microsoft Excel%" or Parent.Path like r"%Microsoft PowerPoint%" or Parent.Path like r"%Microsoft OneNote%") and (Process.Path like r"%/bash" or Process.Path like r"%/curl" or Process.Path like r"%/dash" or Process.Path like r"%/fish" or Process.Path like r"%/osacompile" or Process.Path like r"%/osascript" or Process.Path like r"%/sh" or Process.Path like r"%/zsh" or Process.Path like r"%/python" or Process.Path like r"%/python3" or Process.Path like r"%/wget")
+GenericProperty1 = Parent.Path
 
 
 [ThreatDetectionRule platform=MacOS]
-# Detects potential suspicious run-only executions compiled using OSACompile
+# Detects possible collection of data from the clipboard via execution of the osascript binary
 # Author: Sohan G (D4rkCiph3r)
-RuleId = b9d9b652-d8ed-4697-89a2-a1186ee680ac
-RuleName = OSACompile Run-Only Execution
+RuleId = 7794fa3c-edea-4cff-bec7-267dd4770fd7
+RuleName = Clipboard Data Collection Via OSAScript
 EventType = Process.Start
-Tag = proc-start-osacompile-run-only-execution
+Tag = proc-start-clipboard-data-collection-via-osascript
 RiskScore = 75
-Annotation = {"mitre_attack": ["T1059.002"], "author": "Sohan G (D4rkCiph3r)"}
-Query = Process.CommandLine like r"%osacompile%" and Process.CommandLine like r"% -x %" and Process.CommandLine like r"% -e %"
+Annotation = {"mitre_attack": ["T1115", "T1059.002"], "author": "Sohan G (D4rkCiph3r)"}
+Query = Process.CommandLine like r"%osascript%" and Process.CommandLine like r"% -e %" and Process.CommandLine like r"%clipboard%"
 
 
 [ThreatDetectionRule platform=MacOS]
-# Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
-# Author: Sohan G (D4rkCiph3r)
-RuleId = 69483748-1525-4a6c-95ca-90dc8d431b68
-RuleName = Suspicious Microsoft Office Child Process - MacOS
+# Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
+# Author: Igor Fits, Mikhail Larin, oscd.community
+RuleId = 95361ce5-c891-4b0a-87ca-e24607884a96
+RuleName = Binary Padding - MacOS
 EventType = Process.Start
-Tag = proc-start-suspicious-microsoft-office-child-process-macos
+Tag = proc-start-binary-padding-macos
 RiskScore = 75
-Annotation = {"mitre_attack": ["T1059.002", "T1137.002", "T1204.002"], "author": "Sohan G (D4rkCiph3r)"}
-Query = (Parent.Path like r"%Microsoft Word%" or Parent.Path like r"%Microsoft Excel%" or Parent.Path like r"%Microsoft PowerPoint%" or Parent.Path like r"%Microsoft OneNote%") and (Process.Path like r"%/bash" or Process.Path like r"%/curl" or Process.Path like r"%/dash" or Process.Path like r"%/fish" or Process.Path like r"%/osacompile" or Process.Path like r"%/osascript" or Process.Path like r"%/sh" or Process.Path like r"%/zsh" or Process.Path like r"%/python" or Process.Path like r"%/python3" or Process.Path like r"%/wget")
-GenericProperty1 = Parent.Path
+Annotation = {"mitre_attack": ["T1027.001"], "author": "Igor Fits, Mikhail Larin, oscd.community"}
+Query = Process.Path like r"%/truncate" and Process.CommandLine like r"%-s +%" or Process.Path like r"%/dd" and (Process.CommandLine like r"%if=/dev/zero%" or Process.CommandLine like r"%if=/dev/random%" or Process.CommandLine like r"%if=/dev/urandom%")
+
+
+[ThreatDetectionRule platform=MacOS]
+# Detects the execution traces of the WizardUpdate malware. WizardUpdate is a macOS trojan that attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.
+# Author: Tim Rauch (rule), Elastic (idea)
+RuleId = f68c4a4f-19ef-4817-952c-50dce331f4b0
+RuleName = Potential WizardUpdate Malware Infection
+EventType = Process.Start
+Tag = proc-start-potential-wizardupdate-malware-infection
+RiskScore = 75
+Annotation = {"author": "Tim Rauch (rule), Elastic (idea)"}
+Query = Process.Path like r"%/sh" and Process.CommandLine like r"%=$(curl %" and Process.CommandLine like r"%eval%" or Process.Path like r"%/curl" and Process.CommandLine like r"%\_intermediate\_agent\_%"
 
 
 [ThreatDetectionRule platform=MacOS]
@@ -115,3 +91,27 @@ RiskScore = 75
 Annotation = {"mitre_attack": ["T1543.001", "T1543.004"], "author": "Sohan G (D4rkCiph3r)"}
 Query = Process.Path like r"%/PlistBuddy" and Process.CommandLine like r"%RunAtLoad%" and Process.CommandLine like r"%true%" and (Process.CommandLine like r"%LaunchAgents%" or Process.CommandLine like r"%LaunchDaemons%")
 
+
+[ThreatDetectionRule platform=MacOS]
+# Detects potential suspicious run-only executions compiled using OSACompile
+# Author: Sohan G (D4rkCiph3r)
+RuleId = b9d9b652-d8ed-4697-89a2-a1186ee680ac
+RuleName = OSACompile Run-Only Execution
+EventType = Process.Start
+Tag = proc-start-osacompile-run-only-execution
+RiskScore = 75
+Annotation = {"mitre_attack": ["T1059.002"], "author": "Sohan G (D4rkCiph3r)"}
+Query = Process.CommandLine like r"%osacompile%" and Process.CommandLine like r"% -x %" and Process.CommandLine like r"% -e %"
+
+
+[ThreatDetectionRule platform=MacOS]
+# Detects the use of tail to extract bytes at an offset from an image and then decode the base64 value to create a new file with the decoded content. The detected execution is a bash one-liner.
+# Author: Joseliyo Sanchez, @Joseliyo_Jstnk
+RuleId = 09a910bf-f71f-4737-9c40-88880ba5913d
+RuleName = Potential Base64 Decoded From Images
+EventType = Process.Start
+Tag = proc-start-potential-base64-decoded-from-images
+RiskScore = 75
+Annotation = {"mitre_attack": ["T1140"], "author": "Joseliyo Sanchez, @Joseliyo_Jstnk"}
+Query = Process.Path like r"%/bash" and Process.CommandLine like r"%tail%" and Process.CommandLine like r"%-c%" and Process.CommandLine like r"%base64%" and Process.CommandLine like r"%-d%" and Process.CommandLine like r"%>%" and (Process.CommandLine like r"%.avif%" or Process.CommandLine like r"%.gif%" or Process.CommandLine like r"%.jfif%" or Process.CommandLine like r"%.jpeg%" or Process.CommandLine like r"%.jpg%" or Process.CommandLine like r"%.pjp%" or Process.CommandLine like r"%.pjpeg%" or Process.CommandLine like r"%.png%" or Process.CommandLine like r"%.svg%" or Process.CommandLine like r"%.webp%")
+