Detectionmediumtest

Suspicious MacOS Firmware Activity

Detects when a user manipulates with Firmward Password on MacOS. NOTE - this command has been disabled on silicon-based apple computers.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Thu Sep 30Updated Sun Oct 097ed2c9f7-c59d-4c82-a7e2-f859aa676099macos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection1:
        Image: '/usr/sbin/firmwarepasswd'
        CommandLine|contains:
            - 'setpasswd'
            - 'full'
            - 'delete'
            - 'check'
    condition: selection1

False Positives

Legitimate administration activities

References

MITRE ATT&CK

Tactics

TA0040 · Impact

Rule Metadata

Rule ID

7ed2c9f7-c59d-4c82-a7e2-f859aa676099

Status

test

Level

medium

Type

Detection

Created

Thu Sep 30

Modified

Sun Oct 09

Author

Austin Songer

Path

rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml

Raw Tags

attack.impact

View on GitHub