Detectionmediumtest
Security Software Discovery - MacOs
Detects usage of system utilities (only grep for now) to discover security software discovery
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Daniil Yugoslavskiy, oscd.communityCreated Mon Oct 19Updated Sun Nov 270ed75b9c-c73b-424d-9e7d-496cd565fbe0macos
Log Source
macOSProcess Creation
ProductmacOS← raw: macos
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic3 selectors
detection:
image:
Image: '/usr/bin/grep'
selection_cli_1:
CommandLine|contains:
- 'nessusd' # nessus vulnerability scanner
- 'santad' # google santa
- 'CbDefense' # carbon black
- 'falcond' # crowdstrike falcon
- 'td-agent' # fluentd log shipper
- 'packetbeat' # elastic network logger/shipper
- 'filebeat' # elastic log file shipper
- 'auditbeat' # elastic auditing agent/log shipper
- 'osqueryd' # facebook osquery
- 'BlockBlock' # Objective-See persistence locations watcher/blocker
- 'LuLu' # Objective-See firewall management utility
selection_cli_2: # Objective Development Software firewall management utility
CommandLine|contains|all:
- 'Little'
- 'Snitch'
condition: image and 1 of selection_cli_*False Positives
Legitimate activities
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
0ed75b9c-c73b-424d-9e7d-496cd565fbe0
Status
test
Level
medium
Type
Detection
Created
Mon Oct 19
Modified
Sun Nov 27
Path
rules/macos/process_creation/proc_creation_macos_security_software_discovery.yml
Raw Tags
attack.discoveryattack.t1518.001