From 9c7b8bcd5504d937a19e479886d0752a82965a20 Mon Sep 17 00:00:00 2001
From: peterydzynski <25185548+peterydzynski@users.noreply.github.com>
Date: Thu, 29 Aug 2024 14:30:47 -0400
Subject: [PATCH] Merge PR #4987 from @peterydzynski - Fix `System Network
 Discovery - macOS`

fix: System Network Discovery - macOS  -  Add additional filter for `wifivelocityd`

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 ...on_macos_susp_system_network_discovery.yml} | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)
 rename rules/macos/process_creation/{proc_creation_macos_system_network_discovery.yml => proc_creation_macos_susp_system_network_discovery.yml} (81%)

diff --git a/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml b/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml
similarity index 81%
rename from rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml
rename to rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml
index 690993b3b3b..85806dcdeab 100644
--- a/rules/macos/process_creation/proc_creation_macos_system_network_discovery.yml
+++ b/rules/macos/process_creation/proc_creation_macos_susp_system_network_discovery.yml
@@ -6,7 +6,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
 author: remotephone, oscd.community
 date: 2020-10-06
-modified: 2022-12-28
+modified: 2024-08-29
 tags:
     - attack.discovery
     - attack.t1016
@@ -14,19 +14,21 @@ logsource:
     product: macos
     category: process_creation
 detection:
-    selection1:
+    selection_1:
         Image|endswith:
-            - '/netstat'
+            - '/arp'
             - '/ifconfig'
-            - '/socketfilterfw'
+            - '/netstat'
             - '/networksetup'
-            - '/arp'
-    selection2:
+            - '/socketfilterfw'
+    selection_2:
         Image: '/usr/bin/defaults'
         CommandLine|contains|all:
-            - 'read'
             - '/Library/Preferences/com.apple.alf'
-    condition: 1 of selection*
+            - 'read'
+    filter_main_wifivelocityd:
+        ParentImage|endswith: '/wifivelocityd'
+    condition: 1 of selection_* and not 1 of filter_main_*
 falsepositives:
     - Legitimate administration activities
 level: informational