Suspicious MacOS Firmware Activity
Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
Sigma rule (View on GitHub)
1title: Suspicious MacOS Firmware Activity
2id: 7ed2c9f7-c59d-4c82-a7e2-f859aa676099
3status: test
4description: Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.
5references:
6 - https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml
7 - https://www.manpagez.com/man/8/firmwarepasswd/
8 - https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web
9author: Austin Songer @austinsonger
10date: 2021-09-30
11modified: 2022-10-09
12tags:
13 - attack.impact
14logsource:
15 category: process_creation
16 product: macos
17detection:
18 selection1:
19 Image: '/usr/sbin/firmwarepasswd'
20 CommandLine|contains:
21 - 'setpasswd'
22 - 'full'
23 - 'delete'
24 - 'check'
25 condition: selection1
26falsepositives:
27 - Legitimate administration activities
28level: medium
References
-
macOS Security Compliance Project. Contribute to usnistgov/macos_security development by creating an account on GitHub.
Read More -
manpagez: man pages & more man firmwarepasswd(8) man pages By Section Alphabetically firmwarepasswd(8) BSD System Manager's Manual firmwarepasswd(8) NAME firmwarepasswd -- tool for setting and remo...
Read More -
An Intel-based Mac with an Apple T2 Security Chip supports firmware password protection to help prevent unintended modifications of firmware settings on a specific Mac.
Read More
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EC2 Disable EBS Encryption
- AWS EFS Fileshare Modified or Deleted
- AWS EFS Fileshare Mount Modified or Deleted