System Information Discovery Using sw_vers
Detects the use of "sw_vers" for system information discovery
Sigma rule (View on GitHub)
1title: System Information Discovery Using sw_vers
2id: 5de06a6f-673a-4fc0-8d48-bcfe3837b033
3status: experimental
4description: Detects the use of "sw_vers" for system information discovery
5references:
6 - https://www.virustotal.com/gui/file/d3fa64f63563fe958b75238742d1e473800cb5f49f5cb79d38d4aa3c93709026/behavior
7 - https://www.virustotal.com/gui/file/03b71eaceadea05bc0eea5cddecaa05f245126d6b16cfcd0f3ba0442ac58dab3/behavior
8 - https://ss64.com/osx/sw_vers.html
9author: Joseliyo Sanchez, @Joseliyo_Jstnk
10date: 2023/12/20
11tags:
12 - attack.discovery
13 - attack.t1082
14logsource:
15 product: macos
16 category: process_creation
17detection:
18 # VT Query: 'behavior_processes:"sw_vers" and (behavior_processes:"-productVersion" or behavior_processes:"-productName" or behavior_processes:"-buildVersion") tag:dmg p:5+'
19 selection_image:
20 Image|endswith: '/sw_vers'
21 selection_options:
22 CommandLine|contains:
23 - '-buildVersion'
24 - '-productName'
25 - '-productVersion'
26 condition: all of selection_*
27falsepositives:
28 - Legitimate administrative activities
29level: medium
References
-
-
-
sw_vers Print macOS operating system version. Syntax sw_vers sw_vers -productName sw_vers -productVersion sw_vers -buildVersion Key -productName Print just the value of the ProductName property. -p...
Read More
Related rules
- Uncommon System Information Discovery Via Wmic.EXE
- HackTool - WinPwn Execution
- HackTool - WinPwn Execution - ScriptBlock
- Potential Suspicious Activity Using SeCEdit
- Container Residence Discovery Via Proc Virtual FS