Disk Image Mounting Via Hdiutil - MacOS

 1title: Disk Image Mounting Via Hdiutil - MacOS
 2id: bf241472-f014-4f01-a869-96f99330ca8c
 3status: experimental
 4description: Detects the execution of the hdiutil utility in order to mount disk images.
 5references:
 6    - https://www.loobins.io/binaries/hdiutil/
 7    - https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/
 8    - https://ss64.com/mac/hdiutil.html
 9author: Omar Khaled (@beacon_exe)
10date: 2024-08-10
11tags:
12    - attack.initial-access
13    - attack.collection
14    - attack.t1566.001
15    - attack.t1560.001
16logsource:
17    product: macos
18    category: process_creation
19detection:
20    selection:
21        Image|endswith: /hdiutil
22        CommandLine|contains:
23            - 'attach '
24            - 'mount '
25    condition: selection
26falsepositives:
27    - Legitimate usage of hdiutil by administrators and users.
28level: medium

References

• hdiutil

  

  Manipulate disk images using the DiskImages framework.

  
  Read More

• https://www.sentinelone.com/blog/from-the-front-linesunsigned-macos-orat-malware-gambles-for-the-win/

  
  Read More

• hdiutil Man Page - macOS - SS64.com

  hdiutil Manipulate disk images (attach, verify, burn, etc). Syntax hdiutil verb [options] DESCRIPTION hdiutil uses the DiskImages framework to manipulate disk images. Common verbs include attach, d...

  
  Read More

Related rules

• Data Compressed
• Compressed File Creation Via Tar.EXE
• Compressed File Extraction Via Tar.EXE
• 7Zip Compressing Dump Files
• Arbitrary Shell Command Execution Via Settingcontent-Ms