Suspicious SIP Check by macOS Application

Detects the unusual use of csrutil by a macOS application to check System Integrity Protection (SIP) status. While not malicious in itself, this activity is highly indicative of malware verifying it is not running in a virtual machine or protected environment prior to executing its payload.

Rule type: eql
Rule indices:

• logs-endpoint.events.process-*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

Tags:

• Domain: Endpoint
• OS: macOS
• Use Case: Threat Detection
• Tactic: Discovery
• Tactic: Defense Evasion
• Data Source: Elastic Defend

Version: ?
Rule authors:

• Elastic

Rule license: Elastic License v2

process where host.os.type == "macos" and event.type == "start" and event.action == "exec" and
  process.command_line like "*csrutil*status*" and
  process.command_line like "*enabled*" and
  (process.parent.executable like "/*.app/*" or
   process.parent.executable like "/Applications/*.app/*" or
   process.parent.executable like "/Volumes/*.app/*") and
  not process.parent.executable == "/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM"
		

Framework: MITRE ATT&CK

• Tactic:

  • Name: Discovery
  • Id: TA0007
  • Reference URL: https://attack.mitre.org/tactics/TA0007/

• Technique:

  • Name: System Information Discovery
  • Id: T1082
  • Reference URL: https://attack.mitre.org/techniques/T1082/

• Technique:

  • Name: Virtualization/Sandbox Evasion
  • Id: T1497
  • Reference URL: https://attack.mitre.org/techniques/T1497/

• Sub Technique:

  • Name: System Checks
  • Id: T1497.001
  • Reference URL: https://attack.mitre.org/techniques/T1497/001/