From 8e4fd663a8c972da816f9791c2dd763810636553 Mon Sep 17 00:00:00 2001 From: litemars Date: Wed, 27 May 2026 20:37:26 +0200 Subject: [PATCH 1/2] tuning rule ssh login enable --- ...ral_movement_remote_ssh_login_enabled.toml | 23 ++++++++++++++----- 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index f8bc0af0692..04174aaec45 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" integration = ["endpoint"] maturity = "production" -updated_date = "2026/03/24" +updated_date = "2026/05/27" [rule] author = ["Elastic"] @@ -58,11 +58,22 @@ type = "eql" query = ''' process where host.os.type == "macos" and event.type in ("start", "process_started") and - process.name == "systemsetup" and - process.args like~ "-setremotelogin" and - process.args like~ "on" and - process.parent.executable != null and - not process.parent.executable like ("/usr/local/jamf/bin/jamf", "/usr/libexec/xpcproxy", "/usr/bin/sudo") +( + ( + process.name == "systemsetup" and + process.args like~ "-setremotelogin" and + process.args like~ "on" + ) or + ( + process.name == "launchctl" and + process.args in ("load", "bootstrap") and + ( + process.command_line like~ "*/System/Library/LaunchDaemons/ssh.plist*" or + process.command_line like~ "*com.openssh.sshd*" + ) + ) +) and +not process.parent.executable like ("/usr/local/jamf/bin/jamf", "/usr/libexec/xpcproxy", "/usr/bin/sudo") ''' note = """## Triage and analysis From daac0cfe125cccabf8a890b2c66eb6fad31014c9 Mon Sep 17 00:00:00 2001 From: litemars Date: Wed, 27 May 2026 20:41:42 +0200 Subject: [PATCH 2/2] exclude null parent process --- rules/macos/lateral_movement_remote_ssh_login_enabled.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 04174aaec45..082cca03dd9 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -73,6 +73,7 @@ process where host.os.type == "macos" and event.type in ("start", "process_start ) ) ) and +process.parent.executable != null and not process.parent.executable like ("/usr/local/jamf/bin/jamf", "/usr/libexec/xpcproxy", "/usr/bin/sudo") ''' note = """## Triage and analysis