Detectionmediumtest

System Integrity Protection (SIP) Disabled

Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Joseliyo SanchezCreated Tue Jan 023603f18a-ec15-43a1-9af2-d196c8a7fec6macos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
    selection:
        Image|endswith: '/csrutil'
        CommandLine|contains: 'disable'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0007 · Discovery

Sub-techniques

T1518.001 · Security Software Discovery

Rule Metadata

Rule ID

3603f18a-ec15-43a1-9af2-d196c8a7fec6

Status

test

Level

medium

Type

Detection

Created

Tue Jan 02

Author

Joseliyo Sanchez

Path

rules/macos/process_creation/proc_creation_macos_csrutil_disable.yml

Raw Tags

attack.discoveryattack.t1518.001

View on GitHub