Detectionlowtest

System Integrity Protection (SIP) Enumeration

Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Joseliyo SanchezCreated Tue Jan 0253821412-17b0-4147-ade0-14faae67d54bmacos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    # VT Query: behavior_processes:"csrutil status" p:5+ type:mac
    selection:
        Image|endswith: '/csrutil'
        CommandLine|contains: 'status'
    condition: selection

False Positives

Legitimate administration activities

References

MITRE ATT&CK

Tactics

TA0007 · Discovery

Sub-techniques

T1518.001 · Security Software Discovery

Rule Metadata

Rule ID

53821412-17b0-4147-ade0-14faae67d54b

Status

test

Level

low

Type

Detection

Created

Tue Jan 02

Author

Joseliyo Sanchez

Path

rules/macos/process_creation/proc_creation_macos_csrutil_status.yml

Raw Tags

attack.discoveryattack.t1518.001

View on GitHub