System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
Sigma rule (View on GitHub)
1title: System Integrity Protection (SIP) Enumeration
2id: 53821412-17b0-4147-ade0-14faae67d54b
3status: experimental
4description: |
5 Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
6references:
7 - https://ss64.com/osx/csrutil.html
8 - https://objective-see.org/blog/blog_0x6D.html
9 - https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
10 - https://www.virustotal.com/gui/file/05a2adb266ec6c0ba9ed176d87d8530e71e845348c13caf9f60049760c312cd3/behavior
11author: Joseliyo Sanchez, @Joseliyo_Jstnk
12date: 2024-01-02
13tags:
14 - attack.discovery
15 - attack.t1518.001
16logsource:
17 product: macos
18 category: process_creation
19detection:
20 # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
21 selection:
22 Image|endswith: '/csrutil'
23 CommandLine|contains: 'status'
24 condition: selection
25falsepositives:
26 - Legitimate administration activities
27level: low
References
Related rules
- Security Software Discovery - Linux
- Security Software Discovery - MacOs
- Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
- System Integrity Protection (SIP) Disabled
- AADInternals PowerShell Cmdlets Execution - ProccessCreation