Generated docs from job=generate-docs branch=master [ci skip]

2025-01-28 05:08:35 +00:00
parent 5bfbca38f0
commit 8248b65cce
12 changed files with 315 additions and 20 deletions
@@ -2,7 +2,7 @@

 # Atomic Red Team

-![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1704-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
+![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1707-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)

 Atomic Red Team™ is a library of tests mapped to the
 [MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
@@ -89,8 +89,11 @@ defense-evasion,T1562.009,Impair Defenses: Safe Boot Mode,1,Safe Mode Boot,2a783
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
-defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
 defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,5,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",2,rm -rf,bd8ccc45-d632-481e-b7cf-c467627d68f9,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",3,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
@@ -1768,8 +1771,11 @@ discovery,T1087.001,Account Discovery: Local Account,11,ESXi - Local Account Dis
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,1,Detect Virtualization Environment (Linux),dfbd1a21-540d-4574-9731-e852bd6fe840,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,2,Detect Virtualization Environment (FreeBSD),e129d73b-3e03-4ae9-bf1e-67fc8921e0fd,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell
-discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
 discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,5,Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows),4a41089a-48e0-47aa-82cb-5b81a463bc78,powershell
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,1,Basic Permission Groups Discovery Windows (Domain),dd66d77d-8998-48c0-8024-df263dc2ce5d,command_prompt
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,2,Permission Groups Discovery PowerShell (Domain),6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7,powershell
 discovery,T1069.002,Permission Groups Discovery: Domain Groups,3,Elevated group enumeration using net group (Domain),0afb5163-8181-432e-9405-4322710c0c37,command_prompt
@@ -14,7 +14,10 @@ defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Cachi
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,3,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh
 defense-evasion,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo Caching,5,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh
 defense-evasion,T1036.005,Masquerading: Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh
-defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
+defense-evasion,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",1,rm -rf,989cc1b1-3642-4260-a809-54f9dd559683,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",3,Delete log files using built-in log utility,653d39cd-bae7-499a-898c-9fb96b8b5cd1,sh
 defense-evasion,T1070.002,"Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs",4,Truncate system log files via truncate utility,6290f8a8-8ee9-4661-b9cf-390031bf6973,sh
@@ -217,7 +220,10 @@ discovery,T1087.001,Account Discovery: Local Account,3,View accounts with UID 0,
 discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user,7e46c7a5-0142-45be-a858-1a3ecb4fd3cb,sh
 discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
 discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
-discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,4,Detect Virtualization Environment via ioreg,a960185f-aef6-4547-8350-d1ce16680d09,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,6,Detect Virtualization Environment using sysctl (hw.model),6beae646-eb4c-4730-95be-691a4094408c,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,7,Check if System Integrity Protection is enabled,2b73cd9b-b2fb-4357-b9d7-c73c41d9e945,sh
+discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,8,Detect Virtualization Environment using system_profiler,e04d2e89-de15-4d90-92f9-a335c7337f0f,sh
 discovery,T1040,Network Sniffing,3,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
 discovery,T1040,Network Sniffing,8,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
 discovery,T1040,Network Sniffing,9,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
@@ -122,8 +122,11 @@
  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
  - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
  - Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
-  - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via ioreg [macos]
  - Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
+  - Atomic Test #6: Detect Virtualization Environment using sysctl (hw.model) [macos]
+  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
+  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - [T1070.002 Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs](../../T1070.002/T1070.002.md)
  - Atomic Test #1: rm -rf [macos, linux]
  - Atomic Test #2: rm -rf [linux]
@@ -2438,8 +2441,11 @@
  - Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
  - Atomic Test #2: Detect Virtualization Environment (FreeBSD) [linux]
  - Atomic Test #3: Detect Virtualization Environment (Windows) [windows]
-  - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via ioreg [macos]
  - Atomic Test #5: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) [windows]
+  - Atomic Test #6: Detect Virtualization Environment using sysctl (hw.model) [macos]
+  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
+  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - [T1069.002 Permission Groups Discovery: Domain Groups](../../T1069.002/T1069.002.md)
  - Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
  - Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
@@ -25,7 +25,10 @@
 - T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1562.009 Impair Defenses: Safe Boot Mode [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
-  - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via ioreg [macos]
+  - Atomic Test #6: Detect Virtualization Environment using sysctl (hw.model) [macos]
+  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
+  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - T1218.004 Signed Binary Proxy Execution: InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1027.008 Stripped Payloads [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1574.001 Hijack Execution Flow: DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -634,7 +637,10 @@
  - Atomic Test #6: Enumerate users and groups [linux, macos]
  - Atomic Test #7: Enumerate users and groups [macos]
 - [T1497.001 Virtualization/Sandbox Evasion: System Checks](../../T1497.001/T1497.001.md)
-  - Atomic Test #4: Detect Virtualization Environment (MacOS) [macos]
+  - Atomic Test #4: Detect Virtualization Environment via ioreg [macos]
+  - Atomic Test #6: Detect Virtualization Environment using sysctl (hw.model) [macos]
+  - Atomic Test #7: Check if System Integrity Protection is enabled [macos]
+  - Atomic Test #8: Detect Virtualization Environment using system_profiler [macos]
 - T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - [T1040 Network Sniffing](../../T1040/T1040.md)
@@ -4816,7 +4816,7 @@ defense-evasion:
          Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
          if($error) {echo "Virtualization Environment detected"}
        cleanup_command: "$error.clear()\n"
-    - name: Detect Virtualization Environment (MacOS)
+    - name: Detect Virtualization Environment via ioreg
      auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
      description: 'ioreg contains registry entries for all the device drivers in
        the system. If it''s a virtual machine, one of the device manufacturer will
@@ -4848,6 +4848,49 @@ defense-evasion:
          $Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
          $Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
          if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
+    - name: Detect Virtualization Environment using sysctl (hw.model)
+      auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
+      description: |
+        sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+        but will return the hypervisor name (VMware7,0).
+        Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
+          ''Virtualization Environment detected''; fi;
+
+          '
+    - name: Check if System Integrity Protection is enabled
+      auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+      description: "The latest versions of macOS have the System Integrity Protection
+        feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
+        purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
+        may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
+          ''Possible Virtualization Environment detected''; fi;
+
+          '
+    - name: Detect Virtualization Environment using system_profiler
+      auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
+      description: "system_profiler provides system hardware and software configuration
+        and the Model Identifier should provide the value similar to (sysctl -n hw.model).
+        \nWe should be able to find whether virtualization is enabled by checking
+        whether the Model Identifier does not contain \"Mac\".\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
+          | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
+          fi;
+
+          '
  T1070.002:
    technique:
      x_mitre_platforms:
@@ -101849,7 +101892,7 @@ discovery:
          Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
          if($error) {echo "Virtualization Environment detected"}
        cleanup_command: "$error.clear()\n"
-    - name: Detect Virtualization Environment (MacOS)
+    - name: Detect Virtualization Environment via ioreg
      auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
      description: 'ioreg contains registry entries for all the device drivers in
        the system. If it''s a virtual machine, one of the device manufacturer will
@@ -101881,6 +101924,49 @@ discovery:
          $Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
          $Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
          if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
+    - name: Detect Virtualization Environment using sysctl (hw.model)
+      auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
+      description: |
+        sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+        but will return the hypervisor name (VMware7,0).
+        Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
+          ''Virtualization Environment detected''; fi;
+
+          '
+    - name: Check if System Integrity Protection is enabled
+      auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+      description: "The latest versions of macOS have the System Integrity Protection
+        feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
+        purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
+        may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
+          ''Possible Virtualization Environment detected''; fi;
+
+          '
+    - name: Detect Virtualization Environment using system_profiler
+      auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
+      description: "system_profiler provides system hardware and software configuration
+        and the Model Identifier should provide the value similar to (sysctl -n hw.model).
+        \nWe should be able to find whether virtualization is enabled by checking
+        whether the Model Identifier does not contain \"Mac\".\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
+          | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
+          fi;
+
+          '
  T1069.002:
    technique:
      modified: '2023-04-07T17:16:47.754Z'
@@ -2714,7 +2714,7 @@ defense-evasion:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1497.001
    atomic_tests:
-    - name: Detect Virtualization Environment (MacOS)
+    - name: Detect Virtualization Environment via ioreg
      auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
      description: 'ioreg contains registry entries for all the device drivers in
        the system. If it''s a virtual machine, one of the device manufacturer will
@@ -2730,6 +2730,49 @@ defense-evasion:
          ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
          detected''; fi;

+          '
+    - name: Detect Virtualization Environment using sysctl (hw.model)
+      auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
+      description: |
+        sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+        but will return the hypervisor name (VMware7,0).
+        Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
+          ''Virtualization Environment detected''; fi;
+
+          '
+    - name: Check if System Integrity Protection is enabled
+      auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+      description: "The latest versions of macOS have the System Integrity Protection
+        feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
+        purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
+        may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
+          ''Possible Virtualization Environment detected''; fi;
+
+          '
+    - name: Detect Virtualization Environment using system_profiler
+      auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
+      description: "system_profiler provides system hardware and software configuration
+        and the Model Identifier should provide the value similar to (sysctl -n hw.model).
+        \nWe should be able to find whether virtualization is enabled by checking
+        whether the Model Identifier does not contain \"Mac\".\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
+          | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
+          fi;
+
          '
  T1070.002:
    technique:
@@ -55463,7 +55506,7 @@ discovery:
      x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
      identifier: T1497.001
    atomic_tests:
-    - name: Detect Virtualization Environment (MacOS)
+    - name: Detect Virtualization Environment via ioreg
      auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
      description: 'ioreg contains registry entries for all the device drivers in
        the system. If it''s a virtual machine, one of the device manufacturer will
@@ -55479,6 +55522,49 @@ discovery:
          ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment
          detected''; fi;

+          '
+    - name: Detect Virtualization Environment using sysctl (hw.model)
+      auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
+      description: |
+        sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+        but will return the hypervisor name (VMware7,0).
+        Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(sysctl -n hw.model | grep -v ''Mac'')" != "" ]; then echo
+          ''Virtualization Environment detected''; fi;
+
+          '
+    - name: Check if System Integrity Protection is enabled
+      auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+      description: "The latest versions of macOS have the System Integrity Protection
+        feature (SIP). If a sandbox uses a non-signed \nkernel extension for monitoring
+        purposes the, SIP feature must be disabled to load this kind of kernel extension.\nMalware
+        may check if the SIP is enabled.\nReference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(csrutil status | grep -v ''enabled'')" != "" ]; then echo
+          ''Possible Virtualization Environment detected''; fi;
+
+          '
+    - name: Detect Virtualization Environment using system_profiler
+      auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
+      description: "system_profiler provides system hardware and software configuration
+        and the Model Identifier should provide the value similar to (sysctl -n hw.model).
+        \nWe should be able to find whether virtualization is enabled by checking
+        whether the Model Identifier does not contain \"Mac\".\n"
+      supported_platforms:
+      - macos
+      executor:
+        name: sh
+        command: 'if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier"
+          | grep -v ''Mac'')" != "" ]; then echo ''Virtualization Environment detected'';
+          fi;
+
          '
  T1069.002:
    technique:
@@ -18,10 +18,16 @@ Hardware checks, such as the presence of the fan, temperature, and audio devices

 - [Atomic Test #3 - Detect Virtualization Environment (Windows)](#atomic-test-3---detect-virtualization-environment-windows)

- [Atomic Test #4 - Detect Virtualization Environment (MacOS)](#atomic-test-4---detect-virtualization-environment-macos)
+- [Atomic Test #4 - Detect Virtualization Environment via ioreg](#atomic-test-4---detect-virtualization-environment-via-ioreg)

 - [Atomic Test #5 - Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)](#atomic-test-5---detect-virtualization-environment-via-wmi-manufacturermodel-listing-windows)

+- [Atomic Test #6 - Detect Virtualization Environment using sysctl (hw.model)](#atomic-test-6---detect-virtualization-environment-using-sysctl-hwmodel)
+
+- [Atomic Test #7 - Check if System Integrity Protection is enabled](#atomic-test-7---check-if-system-integrity-protection-is-enabled)
+
+- [Atomic Test #8 - Detect Virtualization Environment using system_profiler](#atomic-test-8---detect-virtualization-environment-using-system_profiler)
+

 <br/>

@@ -118,7 +124,7 @@ $error.clear()
 <br/>
 <br/>

-## Atomic Test #4 - Detect Virtualization Environment (MacOS)
+## Atomic Test #4 - Detect Virtualization Environment via ioreg
 ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.

 **Supported Platforms:** macOS
@@ -173,4 +179,94 @@ if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower()



+<br/>
+<br/>
+
+## Atomic Test #6 - Detect Virtualization Environment using sysctl (hw.model)
+sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
+but will return the hypervisor name (VMware7,0).
+Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 6beae646-eb4c-4730-95be-691a4094408c
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+if [ "$(sysctl -n hw.model | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #7 - Check if System Integrity Protection is enabled
+The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed 
+kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension.
+Malware may check if the SIP is enabled.
+Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+if [ "$(csrutil status | grep -v 'enabled')" != "" ]; then echo 'Possible Virtualization Environment detected'; fi;
+```
+
+
+
+
+
+
+<br/>
+<br/>
+
+## Atomic Test #8 - Detect Virtualization Environment using system_profiler
+system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model). 
+We should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain "Mac".
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** e04d2e89-de15-4d90-92f9-a335c7337f0f
+
+
+
+
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier" | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
+```
+
+
+
+
+
+
 <br/>
@@ -67,7 +67,7 @@ atomic_tests:
      $Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
      if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
 - name: Detect Virtualization Environment using sysctl (hw.model)
-  auto_generated_guid: 
+  auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
  description: |
    sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
    but will return the hypervisor name (VMware7,0).
@@ -79,7 +79,7 @@ atomic_tests:
    command: | 
      if [ "$(sysctl -n hw.model | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
 - name: Check if System Integrity Protection is enabled
-  auto_generated_guid: 
+  auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
  description: |
    The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed 
    kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension.
@@ -92,7 +92,7 @@ atomic_tests:
    command: | 
      if [ "$(csrutil status | grep -v 'enabled')" != "" ]; then echo 'Possible Virtualization Environment detected'; fi;
 - name: Detect Virtualization Environment using system_profiler
-  auto_generated_guid: 
+  auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
  description: |
    system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model). 
    We should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain "Mac".
@@ -1728,3 +1728,6 @@ de47f4a0-2acb-416d-9a6b-cee584a4c4d1
 89a83c3e-0b39-4c80-99f5-c2aa084098bd
 b647f4ee-88de-40ac-9419-f17fac9489a7
 a3cc9c95-c160-4b86-af6f-84fba87bfd30
+6beae646-eb4c-4730-95be-691a4094408c
+2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
+e04d2e89-de15-4d90-92f9-a335c7337f0f