System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
Sigma rule (View on GitHub)
1title: System Information Discovery Via Sysctl - MacOS
2id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
3status: experimental
4description: |
5 Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
6 This process is primarily used to detect and avoid virtualization and analysis environments.
7references:
8 - https://www.loobins.io/binaries/sysctl/#
9 - https://evasions.checkpoint.com/techniques/macos.html
10 - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
11 - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
12 - https://objective-see.org/blog/blog_0x1E.html
13 - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
14 - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
15author: Pratinav Chandra
16date: 2024-05-27
17tags:
18 - attack.defense-evasion
19 - attack.t1497.001
20 - attack.discovery
21 - attack.t1082
22logsource:
23 product: macos
24 category: process_creation
25detection:
26 selection_img:
27 - Image|endswith: '/sysctl'
28 - CommandLine|contains: 'sysctl'
29 selection_cmd:
30 CommandLine|contains:
31 - 'hw.'
32 - 'kern.'
33 - 'machdep.'
34 condition: all of selection_*
35falsepositives:
36 - Legitimate administrative activities
37level: medium
References
Related rules
- Potential Suspicious Activity Using SeCEdit
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Container Residence Discovery Via Proc Virtual FS
- Docker Container Discovery Via Dockerenv Listing