Techniques
Sample rules
Time Machine Backup Deletion Attempt Via Tmutil - MacOS
- source: sigma
- technicques:
- t1490
Description
Detects deletion attempts of MacOS Time Machine backups via the native backup utility “tmutil”. An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
Detection logic
condition: all of selection_*
selection_cmd:
CommandLine|contains: delete
selection_img:
- Image|endswith: /tmutil
- CommandLine|contains: tmutil
Disable Security Tools
- source: sigma
- technicques:
- t1562
- t1562.001
Description
Detects disabling security tools
Detection logic
condition: (launchctl_unload and security_plists) or disable_gatekeeper
disable_gatekeeper:
CommandLine|contains: disable
Image: /usr/sbin/spctl
launchctl_unload:
CommandLine|contains: unload
Image: /bin/launchctl
security_plists:
CommandLine|contains:
- com.objective-see.lulu.plist
- com.objective-see.blockblock.plist
- com.google.santad.plist
- com.carbonblack.defense.daemon.plist
- com.carbonblack.daemon.plist
- at.obdev.littlesnitchd.plist
- com.tenablesecurity.nessusagent.plist
- com.opendns.osx.RoamingClientConfigUpdater.plist
- com.crowdstrike.falcond.plist
- com.crowdstrike.userdaemon.plist
- osquery
- filebeat
- auditbeat
- packetbeat
- td-agent
System Network Connections Discovery - MacOs
- source: sigma
- technicques:
- t1049
Description
Detects usage of system utilities to discover system network connections
Detection logic
condition: selection
selection:
Image|endswith:
- /who
- /w
- /last
- /lsof
- /netstat
File and Directory Discovery - MacOS
- source: sigma
- technicques:
- t1083
Description
Detects usage of system utilities to discover files and directories
Detection logic
condition: 1 of select*
select_file_with_asterisk:
CommandLine|re: (.){200,}
Image: /usr/bin/file
select_find_execution:
Image: /usr/bin/find
select_mdfind_execution:
Image: /usr/bin/mdfind
select_recursive_ls:
CommandLine|contains: -R
Image: /bin/ls
select_tree_execution|endswith:
Image: /tree
Decode Base64 Encoded Text -MacOs
- source: sigma
- technicques:
- t1027
Description
Detects usage of base64 utility to decode arbitrary base64-encoded text
Detection logic
condition: selection
selection:
CommandLine|contains: -d
Image: /usr/bin/base64
Gatekeeper Bypass via Xattr
- source: sigma
- technicques:
- t1553
- t1553.001
Description
Detects macOS Gatekeeper bypass via xattr utility
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- -d
- com.apple.quarantine
Image|endswith: /xattr
Security Software Discovery - MacOs
- source: sigma
- technicques:
- t1518
- t1518.001
Description
Detects usage of system utilities (only grep for now) to discover security software discovery
Detection logic
condition: image and 1 of selection_cli_*
image:
Image: /usr/bin/grep
selection_cli_1:
CommandLine|contains:
- nessusd
- santad
- CbDefense
- falcond
- td-agent
- packetbeat
- filebeat
- auditbeat
- osqueryd
- BlockBlock
- LuLu
selection_cli_2:
CommandLine|contains|all:
- Little
- Snitch
System Network Connections Discovery - Linux
- source: sigma
- technicques:
- t1049
Description
Detects usage of system utilities to discover system network connections
Detection logic
condition: selection and not 1 of filter_*
filter_landscape_sysinfo:
Image|endswith: /who
ParentCommandLine|contains: /usr/bin/landscape-sysinfo
selection:
Image|endswith:
- /who
- /w
- /last
- /lsof
- /netstat
File and Directory Discovery - Linux
- source: sigma
- technicques:
- t1083
Description
Detects usage of system utilities such as “find”, “tree”, “findmnt”, etc, to discover files, directories and network shares.
Detection logic
condition: 1 of selection_*
selection_file_with_asterisk:
CommandLine|re: (.){200,}
Image|endswith: /file
selection_find_execution:
Image|endswith: /find
selection_findmnt_execution:
Image|endswith: /findmnt
selection_locate_execution:
Image|endswith: /mlocate
selection_recursive_ls:
CommandLine|contains: -R
Image|endswith: /ls
selection_tree_execution:
Image|endswith: /tree
Security Software Discovery - Linux
- source: sigma
- technicques:
- t1518
- t1518.001
Description
Detects usage of system utilities (only grep and egrep for now) to discover security software discovery
Detection logic
condition: selection
selection:
CommandLine|contains:
- nessusd
- td-agent
- packetbeat
- filebeat
- auditbeat
- osqueryd
- cbagentd
- falcond
Image|endswith:
- /grep
- /egrep
Decode Base64 Encoded Text
- source: sigma
- technicques:
- t1027
Description
Detects usage of base64 utility to decode arbitrary base64-encoded text
Detection logic
condition: selection
selection:
CommandLine|contains: -d
Image|endswith: /base64