Disk Image Mounting Via Hdiutil - MacOS

 1title: Disk Image Mounting Via Hdiutil - MacOS
 2id: bf241472-f014-4f01-a869-96f99330ca8c
 3status: experimental
 4description: Detects the execution of the hdiutil utility in order to mount disk images.
 5references:
 6    - https://www.loobins.io/binaries/hdiutil/
 7    - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
 8    - https://ss64.com/mac/hdiutil.html
 9author: Omar Khaled (@beacon_exe)
10date: 2024-08-10
11tags:
12    - attack.initial-access
13    - attack.t1566.001
14    - attack.t1560.001
15logsource:
16    product: macos
17    category: process_creation
18detection:
19    selection:
20        Image|endswith: /hdiutil
21        CommandLine|contains:
22            - 'attach '
23            - 'mount '
24    condition: selection
25falsepositives:
26    - Legitimate usage of hdiutil by administrators and users.
27level: medium

References

• hdiutil

  

  Manipulate disk images using the DiskImages framework.

  
  Read More

• https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/

  
  Read More

• hdiutil Man Page - macOS - SS64.com

  hdiutil Manipulate disk images (attach, verify, burn, etc). Syntax hdiutil verb [options] DESCRIPTION hdiutil uses the DiskImages framework to manipulate disk images. Common verbs include attach, d...

  
  Read More

Related rules

• Arbitrary Shell Command Execution Via Settingcontent-Ms
• Droppers Exploiting CVE-2017-11882
• Exploit for CVE-2017-0261
• Exploit for CVE-2017-8759
• HTML Help HH.EXE Suspicious Child Process