Possible wrong detection of MacOS Startup Items

Rule UUID

dfe8b941-4e54-4242-b674-6b613d521962

Example EventLog

TargetFilename:/private/var/db/receipts/dev.actionforge.actrun.plist

Description

I have the following report from my executable on VirusTotal.com.
https://www.virustotal.com/gui/file/d9543b98f88645e3951c85114a678297c99ad6bce4862502ecadc8766f5eff4d/

It is reported, that the check detected the creation of a startup item plist file. The rule is as follows:

sigma/rules/macos/file_event/file_event_macos_startup_items.yml

Lines 17 to 22 in bfc5586

    
           detection: 
        
               selection: 
        
                   - TargetFilename|contains: '/Library/StartupItems/' 
        
                   - TargetFilename|endswith: '.plist' 
        
               condition: selection 
        
           falsepositives:

I'm not familiar with the ruleset syntax. As you can see from the report, the match is: /private/var/db/receipts/dev.actionforge.actrun.plist

Welcome @sebastianrath 👋

It looks like this is your first issue on the Sigma rules repository!

The following repository accepts issues related to false positives or 'rule ideas'.

If you're reporting an issue related to the pySigma library please consider submitting it here

If you're reporting an issue related to the deprecated sigmac library please consider submitting it here

Thanks for taking the time to open this issue, and welcome to the Sigma community! 😃

Hey @sebastianrath and thanks for reporting this.

There is indeed a typo in the rule. I will get it fixed asap.

Much appreciated!

Issue resolved. Thanks once again @sebastianrath for the report.

	detection:
	selection:
	- TargetFilename\|contains: '/Library/StartupItems/'
	- TargetFilename\|endswith: '.plist'
	condition: selection
	falsepositives: