System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
Sigma rule (View on GitHub)
1title: System Integrity Protection (SIP) Disabled
2id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6
3status: experimental
4description: |
5 Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
6references:
7 - https://ss64.com/osx/csrutil.html
8 - https://objective-see.org/blog/blog_0x6D.html
9 - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
10 - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
11author: Joseliyo Sanchez, @Joseliyo_Jstnk
12date: 2024/01/02
13tags:
14 - attack.discovery
15 - attack.t1518.001
16logsource:
17 product: macos
18 category: process_creation
19detection:
20 # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
21 selection:
22 Image|endswith: '/csrutil'
23 CommandLine|contains: 'disable'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
csrutil Configure System Integrity Protection (SIP). SIP is available in El Capitan (10.11) and later. Syntax csrutil status View the SIP status csrutil enable Turn SIP on, when booted in Recovery ...
Read More -
Analyzing OSX.DazzleSpy A fully-featured cyber-espionage macOS implant by: Patrick Wardle / January 25, 2022 📝 👾 Want to play along? I’ve uploaded an OSX.DazzleSpy sample (password: infect3d) to ou...
Read More -
ESET experts noticed that the makers of the Elmedia Player software have been distributing a version of their app trojanized with the OSX/Proton malware.
Read More -
Related rules
- System Integrity Protection (SIP) Enumeration
- Security Tools Keyword Lookup Via Findstr.EXE
- Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
- Security Software Discovery Via Powershell Script
- Security Software Discovery - Linux