[Rule Tuning] Potential Persistence via Login Hook (#2177)

Mikaayenson · web-flow · commit 4f55e9b05f04 · 2022-08-05T14:25:31.000-04:00
* Exclude FPs for iMazing Profile Editor and backupd
diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2022/07/26"
 
 [rule]
 author = ["Elastic"]
@@ -28,7 +28,8 @@ type = "query"
 query = '''
 event.category:"file" and not event.type:"deletion" and
  file.name:"com.apple.loginwindow.plist" and
- process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor))
+ process.name:(* and not (systemmigrationd or DesktopServicesHelper or diskmanagementd or rsync or launchd or cfprefsd or xpcproxy or ManagedClient or MCXCompositor or backupd or "iMazing Profile Editor"
+))
 '''
 
 
