Skip to content

Commit

Permalink
Update UnifiedLogging.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@danzek
danzek authored Jun 15, 2023
1 parent c38f420 commit e55b4ab
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion Operating Systems/macOS/UnifiedLogging.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ Various filters to use with the `log` utility's `--predicate` parameter on macOS
**Tactic** | **Filter** | **Description** | **Last Tested On** | **Private Data**
---------- | ---------- | --------------- | ------------------ | ----------------
Initial Access | `processImagePath BEGINSWITH "/System/" AND process == "SecurityAgent" AND subsystem == "com.apple.loginwindow" AND eventMessage CONTAINS "Authentication failure"` | *Failed* password-based login attempt | 12.6 | No
Initial Access | `processImagePath BEGINSWITH "/System/Library/CoreServices" AND process == "loginwindow" AND subsystem == "com.apple.loginwindow.logging" AND eventMessage CONTAINS "[Login1 doLogin] | shortUsername"` | *Successful* password-based login | 12.6 | No
Initial Access | `processImagePath BEGINSWITH "/System/Library/CoreServices" AND process == "loginwindow" AND subsystem == "com.apple.loginwindow.logging" AND eventMessage CONTAINS "[Login1 doLogin] \| shortUsername"` | *Successful* password-based login | 12.6 | No
Initial Access | `process == "loginwindow" AND eventMessage CONTAINS[c] "APEventTouchIDNoMatch"` | *Failed* TouchID login attempt | 12.6 | No
Initial Access | `process == "loginwindow" AND eventMessage CONTAINS[c] "APEventTouchIDMatch"` | *Successful* TouchID login | 12.6 | No
Execution | `process == "sudo" && eventMessage CONTAINS[c] "COMMAND"` | Commands executed with `sudo` privileges | 12.6 | No
Expand Down

0 comments on commit e55b4ab

Please sign in to comment.