System Information Discovery Via Sysctl - MacOS
Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information. This process is primarily used to detect and avoid virtualization and analysis environments.
Sigma rule (View on GitHub)
1title: System Information Discovery Via Sysctl - MacOS
2id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
3status: experimental
4description: |
5 Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
6 This process is primarily used to detect and avoid virtualization and analysis environments.
7references:
8 - https://www.loobins.io/binaries/sysctl/#
9 - https://evasions.checkpoint.com/techniques/macos.html
10 - https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
11 - https://www.sentinelone.com/labs/20-common-tools-techniques-used-by-macos-threat-actors-malware/
12 - https://objective-see.org/blog/blog_0x1E.html
13 - https://www.virustotal.com/gui/file/1c547a064494a35d6b5e6b459de183ab2720a22725e082bed6f6629211f7abc1/behavior
14 - https://www.virustotal.com/gui/file/b4b1fc65f87b3dcfa35e2dbe8e0a34ad9d8a400bec332025c0a2e200671038aa/behavior
15author: Pratinav Chandra
16date: 2024-05-27
17tags:
18 - attack.defense-evasion
19 - attack.t1497.001
20 - attack.discovery
21 - attack.t1082
22logsource:
23 product: macos
24 category: process_creation
25detection:
26 selection_img:
27 - Image|endswith: '/sysctl'
28 - CommandLine|contains: 'sysctl'
29 selection_cmd:
30 CommandLine|contains:
31 - 'hw.'
32 - 'kern.'
33 - 'machdep.'
34 condition: all of selection_*
35falsepositives:
36 - Legitimate administrative activities
37level: medium
References
-
ESET researchers dissect a new version of a previously documented tool deployed by OceanLotus, showing that the group isn't resting on its laurels.
Read More -
Threat hunting on macOS? These are the tools malware most often leverages, with ITW examples, MITRE behavioral indicators and links to further research.
Read More -
OSX/MacRansom › analyzing the latest ransomware to target macs 6/12/2017 love these blog posts? support my tools & writing on patreon! Mahalo :) Want to play along? I've shared both the malware's b...
Read More -
-
Related rules
- PUA - System Informer Execution
- Potential Suspicious Activity Using SeCEdit
- Bitbucket User Details Export Attempt Detected
- Cisco Discovery
- Container Residence Discovery Via Proc Virtual FS