sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

New Rule: proc_creation_macos_sysctl_discovery.yml

Open pratinavchandra opened this issue 10 months ago • 2 comments

Summary of the Pull Request

Added a new rule to detect execution of sysctl on macOS.

  • sysctl can be used to gather interesting macOS host data, including hardware information, memory size, logical cpu information, etc.
  • It has been used in the past by threat actors to determine whether the target macOS host is running on a physical or virtual machine and also for system information discovery.

Example Usage in the wild:

image image image

Changelog

New: MacOS System Discovery Using Sysctl

Example Log Event

sysctl

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

pratinavchandra avatar Mar 26 '24 21:03 pratinavchandra

@nasbench Any progress on this? Is there anything else needed from my end?

pratinavchandra avatar Apr 19 '24 16:04 pratinavchandra

Nothing needed from your side. Will get to this PR soon enough:)

nasbench avatar Apr 19 '24 16:04 nasbench