sigmaDRL-1.1from SigmaHQ/sigma
System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
Quality
84
FP risk
—
Forks
0
Views
0
Rule sourcerules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml
title: System Information Discovery Via Sysctl - MacOS
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
status: test
description: |
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
This process is primarily used to detect and avoid virtualization and analysis environments.
references:
- https://www.loobins.io/binaries/sysctl/#
- https://evasions.checkpoint.com/techniques/macos.html
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
- https://objective-see.org/blog/blog_0x1E.html
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
author: Pratinav Chandra
date: 2024-05-27
tags:
- attack.defense-evasion
- attack.t1497.001
- attack.discovery
- attack.t1082
logsource:
product: macos
category: process_creation
detection:
selection_img:
- Image|endswith: '/sysctl'
- CommandLine|contains: 'sysctl'
selection_cmd:
CommandLine|contains:
- 'hw.'
- 'kern.'
- 'machdep.'
condition: all of selection_*
falsepositives:
- Legitimate administrative activities
level: medium