Sigma rules for CVE-2026-28727
63 rules · scoped to cve · back to CVE-2026-28727
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Macos Remote System Discovery
id: 10227522-8429-47e6-a301-f2b2d014e7ad
status: test
description: Detects the enumeration of other remote systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-22
modified: 2021-11-27
tags:
- attack.discovery
- attack.t1018
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/arp'
CommandLine|contains: '-a'
selection_2:
Image|endswith: '/ping'
CommandLine|contains:
- ' 10.' # 10.0.0.0/8
- ' 192.168.' # 192.168.0.0/16
- ' 172.16.' # 172.16.0.0/12
- ' 172.17.'
- ' 172.18.'
- ' 172.19.'
- ' 172.20.'
- ' 172.21.'
- ' 172.22.'
- ' 172.23.'
- ' 172.24.'
- ' 172.25.'
- ' 172.26.'
- ' 172.27.'
- ' 172.28.'
- ' 172.29.'
- ' 172.30.'
- ' 172.31.'
- ' 127.' # 127.0.0.0/8
- ' 169.254.' # 169.254.0.0/16
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational
title: Space After Filename - macOS
id: b6e2a2e3-2d30-43b1-a4ea-071e36595690
status: test
description: Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.006/T1036.006.md
author: remotephone
date: 2021-11-20
modified: 2023-01-04
tags:
- attack.stealth
- attack.t1036.006
logsource:
product: macos
category: process_creation
detection:
selection1:
CommandLine|endswith: ' '
selection2:
Image|endswith: ' '
condition: 1 of selection*
falsepositives:
- Mistyped commands or legitimate binaries named to match the pattern
level: low
title: Screen Capture - macOS
id: 0877ed01-da46-4c49-8476-d49cdd80dfa7
status: test
description: Detects attempts to use screencapture to collect macOS screenshots
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md
- https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py
author: remotephone, oscd.community
date: 2020-10-13
modified: 2021-11-27
tags:
- attack.collection
- attack.t1113
logsource:
product: macos
category: process_creation
detection:
selection:
Image: '/usr/sbin/screencapture'
condition: selection
falsepositives:
- Legitimate user activity taking screenshots
level: low
title: System Network Connections Discovery - MacOs
id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db
status: test
description: Detects usage of system utilities to discover system network connections
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-12-28
tags:
- attack.discovery
- attack.t1049
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/who'
- '/w'
- '/last'
- '/lsof'
- '/netstat'
condition: selection
falsepositives:
- Legitimate activities
level: informational
title: System Shutdown/Reboot - MacOs
id: 40b1fbe2-18ea-4ee7-be47-0294285811de
status: test
description: Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
author: 'Igor Fits, Mikhail Larin, oscd.community'
date: 2020-10-19
modified: 2022-11-26
tags:
- attack.impact
- attack.t1529
logsource:
product: macos
category: process_creation
detection:
selection:
Image|endswith:
- '/shutdown'
- '/reboot'
- '/halt'
condition: selection
falsepositives:
- Legitimate administrative activity
level: informational
title: Decode Base64 Encoded Text -MacOs
id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68
status: test
description: Detects usage of base64 utility to decode arbitrary base64-encoded text
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-26
tags:
- attack.stealth
- attack.t1027
logsource:
category: process_creation
product: macos
detection:
selection:
Image: '/usr/bin/base64'
CommandLine|contains: '-d'
condition: selection
falsepositives:
- Legitimate activities
level: low
title: Local Groups Discovery - MacOs
id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276
status: test
description: Detects enumeration of local system groups
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
author: Ömer Günal, Alejandro Ortuno, oscd.community
date: 2020-10-11
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1069.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'group'
selection_2:
Image|endswith: '/cat'
CommandLine|contains: '/etc/group'
selection_3:
Image|endswith: '/dscl'
CommandLine|contains|all:
- '-list'
- '/groups'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: informational
title: File and Directory Discovery - MacOS
id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6
status: test
description: Detects usage of system utilities to discover files and directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2022-11-25
tags:
- attack.discovery
- attack.t1083
logsource:
category: process_creation
product: macos
detection:
select_file_with_asterisk:
Image: '/usr/bin/file'
CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline
select_recursive_ls:
Image: '/bin/ls'
CommandLine|contains: '-R'
select_find_execution:
Image: '/usr/bin/find'
select_mdfind_execution:
Image: '/usr/bin/mdfind'
select_tree_execution|endswith:
Image: '/tree'
condition: 1 of select*
falsepositives:
- Legitimate activities
level: informational
title: Local System Accounts Discovery - MacOs
id: ddf36b67-e872-4507-ab2e-46bda21b842c
status: test
description: Detects enumeration of local systeam accounts on MacOS
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-08
modified: 2022-11-27
tags:
- attack.discovery
- attack.t1087.001
logsource:
category: process_creation
product: macos
detection:
selection_1:
Image|endswith: '/dscl'
CommandLine|contains|all:
- 'list'
- '/users'
selection_2:
Image|endswith: '/dscacheutil'
CommandLine|contains|all:
- '-q'
- 'user'
selection_3:
CommandLine|contains: '''x:0:'''
selection_4:
Image|endswith: '/cat'
CommandLine|contains:
- '/etc/passwd'
- '/etc/sudoers'
selection_5:
Image|endswith: '/id'
selection_6:
Image|endswith: '/lsof'
CommandLine|contains: '-u'
condition: 1 of selection*
falsepositives:
- Legitimate administration activities
level: low
title: Network Sniffing - MacOs
id: adc9bcc4-c39c-4f6b-a711-1884017bf043
status: test
description: |
Detects the usage of tooling to sniff network traffic.
An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2022-11-26
tags:
- attack.discovery
- attack.credential-access
- attack.t1040
logsource:
category: process_creation
product: macos
detection:
selection:
Image|endswith:
- '/tcpdump'
- '/tshark'
condition: selection
falsepositives:
- Legitimate administration activities
level: informational
title: System Network Discovery - macOS
id: 58800443-f9fc-4d55-ae0c-98a3966dfb97
status: test
description: Detects enumeration of local network configuration
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md
author: remotephone, oscd.community
date: 2020-10-06
modified: 2024-08-29
tags:
- attack.discovery
- attack.t1016
logsource:
product: macos
category: process_creation
detection:
selection_1:
Image|endswith:
- '/arp'
- '/ifconfig'
- '/netstat'
- '/networksetup'
- '/socketfilterfw'
selection_2:
Image: '/usr/bin/defaults'
CommandLine|contains|all:
- '/Library/Preferences/com.apple.alf'
- 'read'
filter_main_wifivelocityd:
ParentImage|endswith: '/wifivelocityd'
condition: 1 of selection_* and not 1 of filter_main_*
falsepositives:
- Legitimate administration activities
level: informational
title: Remote Access Tool - Team Viewer Session Started On MacOS Host
id: f459ccb4-9805-41ea-b5b2-55e279e2424a
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: macos
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
title: Startup Item File Created - MacOS
id: dfe8b941-4e54-4242-b674-6b613d521962
status: test
description: |
Detects the creation of a startup item plist file, that automatically get executed at boot initialization to establish persistence.
Adversaries may use startup items automatically executed at boot initialization to establish persistence.
Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md
- https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
author: Alejandro Ortuno, oscd.community
date: 2020-10-14
modified: 2024-08-11
tags:
- attack.persistence
- attack.privilege-escalation
- attack.t1037.005
logsource:
category: file_event
product: macos
detection:
selection:
TargetFilename|startswith:
- '/Library/StartupItems/'
- '/System/Library/StartupItems'
TargetFilename|endswith: '.plist'
condition: selection
falsepositives:
- Legitimate administration activities
level: low