Disk Image Creation Via Hdiutil - MacOS

 1title: Disk Image Creation Via Hdiutil - MacOS
 2id: 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae
 3status: experimental
 4description: Detects the execution of the hdiutil utility in order to create a disk image.
 5references:
 6    - https://www.loobins.io/binaries/hdiutil/
 7    - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
 8    - https://ss64.com/mac/hdiutil.html
 9author: Omar Khaled (@beacon_exe)
10date: 2024-08-10
11tags:
12    - attack.exfiltration
13logsource:
14    product: macos
15    category: process_creation
16detection:
17    selection:
18        Image|endswith: /hdiutil
19        CommandLine|contains: 'create'
20    condition: selection
21falsepositives:
22    - Legitimate usage of hdiutil by administrators and users.
23level: medium

References

• hdiutil

  

  Manipulate disk images using the DiskImages framework.

  
  Read More

• https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/

  
  Read More

• hdiutil Man Page - macOS - SS64.com

  hdiutil Manipulate disk images (attach, verify, burn, etc). Syntax hdiutil verb [options] DESCRIPTION hdiutil uses the DiskImages framework to manipulate disk images. Common verbs include attach, d...

  
  Read More

Related rules

• APT40 Dropbox Tool User Agent
• AWS EC2 VM Export Failure
• AWS RDS Master Password Change
• AWS S3 Data Management Tampering
• AWS Snapshot Backup Exfiltration