From 6a5cf5c37c5c8aba2c810b3b2bdbfbd6bc262bfb Mon Sep 17 00:00:00 2001
From: pratinavchandra <pratinav.chandra1997@gmail.com>
Date: Mon, 27 May 2024 12:05:09 -0400
Subject: [PATCH] Merge PR #4785 from @pratinavchandra - add `System
 Information Discovery Via Sysctl - MacOS`

new: System Information Discovery Via Sysctl - MacOS

---------

Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
---
 .../proc_creation_macos_sysctl_discovery.yml  | 37 +++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml

diff --git a/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml
new file mode 100644
index 000000000..06113ec55
--- /dev/null
+++ b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml
@@ -0,0 +1,37 @@
+title: System Information Discovery Via Sysctl - MacOS
+id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
+status: experimental
+description: |
+    Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
+    This process is primarily used to detect and avoid virtualization and analysis environments.
+references:
+    - https://www.loobins.io/binaries/sysctl/#
+    - https://evasions.checkpoint.com/techniques/macos.html
+    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
+    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
+    - https://objective-see.org/blog/blog_0x1E.html
+    - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
+    - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
+author: Pratinav Chandra
+date: 2024/05/27
+tags:
+    - attack.defense_evasion
+    - attack.t1497.001
+    - attack.discovery
+    - attack.t1082
+logsource:
+    product: macos
+    category: process_creation
+detection:
+    selection_img:
+        - Image|endswith: '/sysctl'
+        - CommandLine|contains: 'sysctl'
+    selection_cmd:
+        CommandLine|contains:
+            - 'hw.'
+            - 'kern.'
+            - 'machdep.'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate administrative activities
+level: medium