Potential Discovery Activity Using Find - MacOS

Title: Potential Discovery Activity Using Find - MacOS
Status: test
Description:Detects usage of "find" binary in a suspicious manner to perform discovery
References:
  -https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes
Author: Nasreddine Bencherchali (Nextron Systems)
Date: 2022-12-28
modified:None
Tags:

• -'attack.discovery'
• -'attack.t1083'

Logsource:

• category: process_creation
• product: macos

Detection:
  selection:
    Image|endswith: '/find'
    CommandLine|contains:
      -'-perm -4000'
      -'-perm -2000'
      -'-perm 0777'
      -'-perm -222'
      -'-perm -o w'
      -'-perm -o x'
      -'-perm -u=s'
      -'-perm -g=s'

  condition:selection
Falsepositives:
  -Unknown
Level: medium