Nasreddine Bencherchali
598d29f811
chore: change tags, date, modified fields to comply with v2 of the Sigma spec. chore: update the related type from `obsoletes` to `obsolete`. chore: update local json schema to the latest version.
38 lines
1.5 KiB
YAML
38 lines
1.5 KiB
YAML
title: System Information Discovery Via Sysctl - MacOS
|
|
id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
|
|
status: experimental
|
|
description: |
|
|
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
|
|
This process is primarily used to detect and avoid virtualization and analysis environments.
|
|
references:
|
|
- https://www.loobins.io/binaries/sysctl/#
|
|
- https://evasions.checkpoint.com/techniques/macos.html
|
|
- https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
|
|
- https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
|
|
- https://objective-see.org/blog/blog_0x1E.html
|
|
- https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
|
|
- https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
|
|
author: Pratinav Chandra
|
|
date: 2024-05-27
|
|
tags:
|
|
- attack.defense-evasion
|
|
- attack.t1497.001
|
|
- attack.discovery
|
|
- attack.t1082
|
|
logsource:
|
|
product: macos
|
|
category: process_creation
|
|
detection:
|
|
selection_img:
|
|
- Image|endswith: '/sysctl'
|
|
- CommandLine|contains: 'sysctl'
|
|
selection_cmd:
|
|
CommandLine|contains:
|
|
- 'hw.'
|
|
- 'kern.'
|
|
- 'machdep.'
|
|
condition: all of selection_*
|
|
falsepositives:
|
|
- Legitimate administrative activities
|
|
level: medium
|