Suspicious SIP Check by macOS Application

 1[metadata]
 2creation_date = "2026/01/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/02/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects the unusual use of csrutil by a macOS application to check System Integrity Protection (SIP) status. 
11While not malicious in itself, this activity is highly indicative of malware verifying it is not running 
12in a virtual machine or protected environment prior to executing its payload.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Suspicious SIP Check by macOS Application"
19note = """ ## Triage and analysis
20
21> **Disclaimer**:
22> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
23
24### Investigating Suspicious SIP Check by macOS Application
25
26This rule detects a macOS application bundle launching `csrutil status` and explicitly parsing for “enabled,” an uncommon behavior that often signals preflight environment checks. Attackers use this to confirm System Integrity Protection constraints before deciding whether to attempt persistence, injection, or privilege escalation, or to abort execution to avoid analysis. A common pattern is a trojanized app from a mounted disk image performing the SIP check immediately after first launch, then conditionally unpacking and running a secondary payload.
27
28### Possible investigation steps
29
30- Identify the initiating application bundle and validate its provenance by reviewing its code signature, notarization status, Team ID, and download origin (e.g., Gatekeeper quarantine attributes and DMG mount source).  
31- Build a short timeline around the SIP check to see what executed next from the same parent chain (new processes, scripts, installers, or command interpreters) and whether execution diverged after reading “enabled.”  
32- Inspect the app’s bundle contents and related file activity for dropped binaries, launch agents/daemons, login items, or modified plist files that indicate persistence or staged payload execution.  
33- Look for follow-on discovery and defense-evasion behavior on the host (e.g., VM/sandbox checks, system profiling, security tool enumeration, permission prompts abuse) that would support a malware preflight workflow.  
34- If suspicious, isolate the host and collect the app bundle, associated DMG, and execution artifacts for detonation and reverse engineering, then hunt for the same app hash/Team ID across the fleet.
35
36### False positive analysis
37
38- A legitimate enterprise-managed macOS application performing a preflight compatibility or supportability check may invoke `csrutil status` and look for “enabled” to decide whether to proceed with installing drivers, configuring system settings, or enabling features that require SIP-related constraints awareness.  
39- A user-initiated security/compliance workflow from a GUI app (e.g., a system configuration, diagnostic, or remediation utility distributed as an `.app` from `/Applications` or a mounted volume) may run `csrutil status` and parse for “enabled” to display a health report or to gate remediation instructions without any malicious follow-on activity.
40
41### Response and remediation
42
43- Isolate the affected macOS host from the network and prevent further execution by quitting the initiating `.app` and blocking its bundle identifier/hash via MDM/EDR policy.  
44- Acquire and preserve artifacts for analysis, including the full `.app` bundle, the originating DMG/ZIP (if launched from `/Volumes`), Gatekeeper quarantine metadata, and recent install logs to trace the download source and execution chain.  
45- Eradicate by removing the suspicious application and any follow-on components it created (new LaunchAgents/LaunchDaemons, Login Items, cron entries, and dropped executables in user and system Library paths), then terminate any child processes spawned after the SIP check.  
46- Recover by reinstalling trusted software from known-good sources, rotating credentials used on the host since the first execution, and monitoring for re-creation of persistence files or repeated `csrutil status` checks from application bundles.  
47- Escalate to incident response if the app is unsigned/notarization-failed, originates from a mounted volume or user Downloads, or if post-check activity includes attempts to modify security settings, write to persistence locations, or launch interpreters like `bash`, `zsh`, `python`, or `osascript`.  
48- Harden by enforcing only notarized/signed app execution (Gatekeeper/MDM restrictions), blocking untrusted apps from removable/mounted volumes, and deploying detections for app-bundled execution of `csrutil` and subsequent persistence creation.
49"""
50risk_score = 47
51rule_id = "1615230f-beb7-48d8-9b3f-6d10674703bf"
52severity = "medium"
53tags = [
54    "Domain: Endpoint",
55    "OS: macOS",
56    "Use Case: Threat Detection",
57    "Tactic: Discovery",
58    "Tactic: Defense Evasion",
59    "Data Source: Elastic Defend",
60    "Resources: Investigation Guide",
61]
62timestamp_override = "event.ingested"
63type = "eql"
64query = '''
65process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
66  process.command_line like "*csrutil*status*" and
67  process.command_line like "*enabled*" and
68  (process.parent.executable like "/*.app/*" or
69   process.parent.executable like "/Applications/*.app/*" or
70   process.parent.executable like "/Volumes/*.app/*") and
71  not process.parent.executable == "/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM"
72'''
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76
77  [rule.threat.tactic]
78  name = "Discovery"
79  id = "TA0007"
80  reference = "https://attack.mitre.org/tactics/TA0007/"
81
82  [[rule.threat.technique]]
83  name = "System Information Discovery"
84  id = "T1082"
85  reference = "https://attack.mitre.org/techniques/T1082/"
86
87  [[rule.threat.technique]]
88  name = "Virtualization/Sandbox Evasion"
89  id = "T1497"
90  reference = "https://attack.mitre.org/techniques/T1497/"
91
92    [[rule.threat.technique.subtechnique]]
93    name = "System Checks"
94    id = "T1497.001"
95    reference = "https://attack.mitre.org/techniques/T1497/001/"