
Summary
This detection rule aims to identify potential reconnaissance activities on macOS systems where attackers use system utilities, specifically the 'grep' command, to uncover security software installed on the target. The rule monitors process creation events and targets command-line arguments indicative of known security applications. When the 'grep' utility is executed, the rule checks if the command line contains specific strings that resemble security software names such as 'nessusd', 'santad', and various endpoint detection platforms including 'CbDefense', and more. The condition for triggering the alert is that the image executing the command must be 'grep' and one of the specified security software patterns must be matched. This is important for security teams to be aware of any attempts to disable or evade detection mechanisms by malicious actors. The rule's false positives can originate from legitimate administrative activities where these tools are used intentionally.
Categories
- macOS
- Endpoint
Data Sources
- Process
ATT&CK Techniques
- T1518.001
Created: 2020-10-19