LoFP / legitimate usage of hdiutil by administrators and users.

Techniques

• t1560
• t1560.001
• t1566
• t1566.001

Sample rules

Disk Image Creation Via Hdiutil - MacOS

• source: sigma
• technicques:

Description

Detects the execution of the hdiutil utility in order to create a disk image.

Detection logic

condition: selection
selection:
  CommandLine|contains: create
  Image|endswith: /hdiutil

Disk Image Mounting Via Hdiutil - MacOS

• source: sigma
• technicques:
  • t1560
  • t1560.001
  • t1566
  • t1566.001

Description

Detects the execution of the hdiutil utility in order to mount disk images.

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - 'attach '
  - 'mount '
  Image|endswith: /hdiutil