Hidden Flag Set On File/Directory Via Chflags - MacOS

calendar Aug 21, 2024 · attack.defense-evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105  ·
Share on: linkedin copy

Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

Sigma rule (View on GitHub)

 1title: Hidden Flag Set On File/Directory Via Chflags - MacOS
 2id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
 3status: experimental
 4description: |
 5    Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
 6    When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.    
 7references:
 8    - https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
 9    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
10    - https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
11    - https://ss64.com/mac/chflags.html
12author: Omar Khaled (@beacon_exe)
13date: 2024-08-21
14tags:
15    - attack.defense-evasion
16    - attack.t1218
17    - attack.t1564.004
18    - attack.t1552.001
19    - attack.t1105
20logsource:
21    product: macos
22    category: process_creation
23detection:
24    selection:
25        Image|endswith: '/chflags'
26        CommandLine|contains: 'hidden '
27    condition: selection
28falsepositives:
29    - Legitimate usage of chflags by administrators and users.
30level: medium

References

  • APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique - SentinelLabs

    Vietnamese-linked APT group OceanLotus have innovated and imitated in their latest macOS trojan, while also leaving a mysterious hard-coded calling card.


    Read More

  • OceanLotus: macOS malware update

    ESET researchers dissect a new version of a previously documented tool deployed by OceanLotus, showing that the group isn't resting on its laurels.


    Read More

  • S'ñë‹w$O@ ¼À<šâ5k_qÚ:õi»Ê2Y£~Ñy+«óÁæÈpDÉùÊvR²‹vGF+¾Îé(®‚&xú5·¢º¤é ZµhÊ+–w’ËÖߊEy=–8˜ðiƒãl ¬hÊ Â¤ô³i§MÁmL.š‰E1 {¼€«Uꛤªb£Œ”“©J ÛÊe{÷Ê*+oI°3ÖdÉg½±¥2�Øj©ÚP�5ÓÐ éØM'SˆX˜>½K2}7...


    Read More

  • chflags Man Page - macOS - SS64.com

    chflags Change a file or folder’s flags. Syntax chflags [-fhvx] [-R [-H | -L | -P]] flags file-or-folder ... Options -R Recurse: Change the file flags of file-or-folder hierarchies rooted in the fi...


    Read More

Related rules

to-top