Sigma Rules
70 rules found
MacOS Scripting Interpreter AppleScript
Detects execution of AppleScript of the macOS scripting language AppleScript.
Decode Base64 Encoded Text -MacOs
Detects usage of base64 utility to decode arbitrary base64-encoded text
Binary Padding - MacOS
Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.
File Time Attribute Change
Detect file time attribute change to hide new or changes to existing files
Hidden Flag Set On File/Directory Via Chflags - MacOS
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
Indicator Removal on Host - Clear Mac System Logs
Detects deletion of local audit logs
Clipboard Data Collection Via OSAScript
Detects possible collection of data from the clipboard via execution of the osascript binary
Creation Of A Local User Account
Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
Hidden User Creation
Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option
Credentials from Password Stores - Keychain
Detects passwords dumps from Keychain
System Integrity Protection (SIP) Disabled
Detects the use of csrutil to disable the Configure System Integrity Protection (SIP). This technique is used in post-exploit scenarios.
System Integrity Protection (SIP) Enumeration
Detects the use of csrutil to view the Configure System Integrity Protection (SIP) status. This technique is used in post-exploit scenarios.
Disable Security Tools
Detects disabling security tools
User Added To Admin Group Via Dscl
Detects attempts to create and add an account to the admin group via "dscl"
User Added To Admin Group Via DseditGroup
Detects attempts to create and/or add an account to the admin group, thus granting admin privileges.
Root Account Enable Via Dsenableroot
Detects attempts to enable the root account via "dsenableroot"
File and Directory Discovery - MacOS
Detects usage of system utilities to discover files and directories
Credentials In Files
Detecting attempts to extract passwords with grep and laZagne
GUI Input Capture - macOS
Detects attempts to use system dialog prompts to capture user credentials
Disk Image Creation Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to create a disk image.
Disk Image Mounting Via Hdiutil - MacOS
Detects the execution of the hdiutil utility in order to mount disk images.
Suspicious Installer Package Child Process
Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
System Information Discovery Using Ioreg
Detects the use of "ioreg" which will show I/O Kit registry information. This process is used for system information discovery. It has been observed in-the-wild by calling this process directly or using bash and grep to look for specific strings.
JAMF MDM Potential Suspicious Child Process
Detects potential suspicious child processes of "jamf". Could be a sign of potential abuse of Jamf as a C2 server as seen by Typhon MythicAgent.
JAMF MDM Execution
Detects execution of the "jamf" binary to create user accounts and run commands. For example, the binary can be abused by attackers on the system in order to bypass security controls or remove application control polices.
JXA In-memory Execution Via OSAScript
Detects possible malicious execution of JXA in-memory via OSAScript
Launch Agent/Daemon Execution Via Launchctl
Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
Local System Accounts Discovery - MacOs
Detects enumeration of local systeam accounts on MacOS
Local Groups Discovery - MacOs
Detects enumeration of local system groups
MacOS Network Service Scanning
Detects enumeration of local or remote network services.
Network Sniffing - MacOs
Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
File Download Via Nscurl - MacOS
Detects the execution of the nscurl utility in order to download files.
Suspicious Microsoft Office Child Process - MacOS
Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
OSACompile Run-Only Execution
Detects potential suspicious run-only executions compiled using OSACompile
Payload Decoded and Decrypted via Built-in Utilities
Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
Potential Persistence Via PlistBuddy
Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
Remote Access Tool - Potential MeshAgent Execution - MacOS
Detects potential execution of MeshAgent which is a tool used for remote access. Historical data shows that threat actors rename MeshAgent binary to evade detection. Matching command lines with the '--meshServiceName' argument can indicate that the MeshAgent is being used for remote access.
Remote Access Tool - Renamed MeshAgent Execution - MacOS
Detects the execution of a renamed instance of the Remote Monitoring and Management (RMM) tool, MeshAgent. RMM tools such as MeshAgent are commonly utilized by IT administrators for legitimate remote support and system management. However, malicious actors may exploit these tools by renaming them to bypass detection mechanisms, enabling unauthorized access and control over compromised systems.
Remote Access Tool - Team Viewer Session Started On MacOS Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Macos Remote System Discovery
Detects the enumeration of other remote systems.
Scheduled Cron Task/Job - MacOs
Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder.
Screen Capture - macOS
Detects attempts to use screencapture to collect macOS screenshots
Security Software Discovery - MacOs
Detects usage of system utilities (only grep for now) to discover security software discovery
Space After Filename - macOS
Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
Split A File Into Pieces
Detection use of the command "split" to split files into parts and possible transfer.
Osacompile Execution By Potentially Suspicious Applet/Osascript
Detects potential suspicious applet or osascript executing "osacompile".
Suspicious Browser Child Process - MacOS
Detects suspicious child processes spawned from browsers. This could be a result of a potential web browser exploitation.
Suspicious Execution via macOS Script Editor
Detects when the macOS Script Editor utility spawns an unusual child process.