System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
Sigma rule (View on GitHub)
1title: System Integrity Protection (SIP) Enumeration
2id: 53821412-17b0-4147-ade0-14faae67d54b
3status: test
4description: |
5 Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
6references:
7 - https://ss64.com/osx/csrutil.html
8 - https://objective-see.org/blog/blog_0x6D.html
9 - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
10 - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
11author: Joseliyo Sanchez, @Joseliyo_Jstnk
12date: 2024-01-02
13tags:
14 - attack.discovery
15 - attack.t1518.001
16logsource:
17 product: macos
18 category: process_creation
19detection:
20 # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
21 selection:
22 Image|endswith: '/csrutil'
23 CommandLine|contains: 'status'
24 condition: selection
25falsepositives:
26 - Legitimate administration activities
27level: low
References
-
csrutil Configure System Integrity Protection (SIP). SIP is available in El Capitan (10.11) and later. Syntax csrutil status View the SIP status csrutil enable Turn SIP on, when booted in Recovery ...
Read More -
Analyzing OSX.DazzleSpy A fully-featured cyber-espionage macOS implant by: Patrick Wardle / January 25, 2022 📝 👾 Want to play along? I’ve uploaded an OSX.DazzleSpy sample (password: infect3d) to ou...
Read More -
ESET experts noticed that the makers of the Elmedia Player software have been distributing a version of their app trojanized with the OSX/Proton malware.
Read More -
Related rules
- System Integrity Protection (SIP) Disabled
- Security Tools Keyword Lookup Via Findstr.EXE
- Security Software Discovery Via Powershell Script
- Security Software Discovery - Linux
- Security Software Discovery - MacOs