System Integrity Protection (SIP) Disabled

Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.

Sigma rule (View on GitHub)

 1title: System Integrity Protection (SIP) Disabled
 2id: 3603f18a-ec15-43a1-9af2-d196c8a7fec6
 3status: experimental
 4description: |
 5        Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
 6references:
 7    - https://ss64.com/osx/csrutil.html
 8    - https://objective-see.org/blog/blog_0x6D.html
 9    - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
10    - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
11author: Joseliyo Sanchez, @Joseliyo_Jstnk
12date: 2024-01-02
13tags:
14    - attack.discovery
15    - attack.t1518.001
16logsource:
17    product: macos
18    category: process_creation
19detection:
20    # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
21    selection:
22        Image|endswith: '/csrutil'
23        CommandLine|contains: 'disable'
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top