Security Software Discovery - MacOs
Detects usage of system utilities (only grep for now) to discover security software discovery
Sigma rule (View on GitHub)
1title: Security Software Discovery - MacOs
2id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0
3status: test
4description: Detects usage of system utilities (only grep for now) to discover security software discovery
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
7author: Daniil Yugoslavskiy, oscd.community
8date: 2020-10-19
9modified: 2022-11-27
10tags:
11 - attack.discovery
12 - attack.t1518.001
13logsource:
14 category: process_creation
15 product: macos
16detection:
17 image:
18 Image: '/usr/bin/grep'
19 selection_cli_1:
20 CommandLine|contains:
21 - 'nessusd' # nessus vulnerability scanner
22 - 'santad' # google santa
23 - 'CbDefense' # carbon black
24 - 'falcond' # crowdstrike falcon
25 - 'td-agent' # fluentd log shipper
26 - 'packetbeat' # elastic network logger/shipper
27 - 'filebeat' # elastic log file shipper
28 - 'auditbeat' # elastic auditing agent/log shipper
29 - 'osqueryd' # facebook osquery
30 - 'BlockBlock' # Objective-See persistence locations watcher/blocker
31 - 'LuLu' # Objective-See firewall management utility
32 selection_cli_2: # Objective Development Software firewall management utility
33 CommandLine|contains|all:
34 - 'Little'
35 - 'Snitch'
36 condition: image and 1 of selection_cli_*
37falsepositives:
38 - Legitimate activities
39level: medium
References
Related rules
- Security Software Discovery - Linux
- Sysmon Discovery Via Default Driver Altitude Using Findstr.EXE
- System Integrity Protection (SIP) Disabled
- System Integrity Protection (SIP) Enumeration
- AADInternals PowerShell Cmdlets Execution - ProccessCreation