legitimate usage of chflags by administrators and users.

t1105
t1218
t1552
t1552.001
t1564
t1564.004
macos
sigma

Techniques

t1105
t1218
t1552
t1552.001
t1564
t1564.004

Sample rules

Hidden Flag Set On File/Directory Via Chflags - MacOS

source: sigma
technicques:
- t1105
- t1218
- t1552
- t1552.001
- t1564
- t1564.004

Description

Detects the execution of the “chflags” utility with the “hidden” flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.

Detection logic

condition: selection
selection:
  CommandLine|contains: 'hidden '
  Image|endswith: /chflags