System Information Discovery Via Sysctl - MacOS

Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.

Sigma rule (View on GitHub)

 1title: System Information Discovery Via Sysctl - MacOS
 2id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
 3status: experimental
 4description: |
 5    Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
 6    This process is primarily used to detect and avoid virtualization and analysis environments.    
 7references:
 8    - https://www.loobins.io/binaries/sysctl/#
 9    - https://evasions.checkpoint.com/techniques/macos.html
10    - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
11    - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
12    - https://objective-see.org/blog/blog_0x1E.html
13    - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
14    - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
15author: Pratinav Chandra
16date: 2024-05-27
17tags:
18    - attack.defense-evasion
19    - attack.t1497.001
20    - attack.discovery
21    - attack.t1082
22logsource:
23    product: macos
24    category: process_creation
25detection:
26    selection_img:
27        - Image|endswith: '/sysctl'
28        - CommandLine|contains: 'sysctl'
29    selection_cmd:
30        CommandLine|contains:
31            - 'hw.'
32            - 'kern.'
33            - 'machdep.'
34    condition: all of selection_*
35falsepositives:
36    - Legitimate administrative activities
37level: medium

References

Related rules

to-top