Disk Image Creation Via Hdiutil - MacOS

Rule Info

Name
Disk Image Creation Via Hdiutil - MacOS
Author
Omar Khaled (@beacon_exe)
Description
Detects the execution of the hdiutil utility in order to create a disk image.
Reference
https://www.loobins.io/binaries/hdiutil/
Date
2024-08-10 00:00:00
Modified
None
Id
1cf98dc2-fcb0-47c9-8aea-654c9284d1ae
Tags
attack.exfiltration
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=1cf98dc2-fcb0-47c9-8aea-654c9284d1ae

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5506 from @nasbench -promote older rules status from `experimental` to `test`
2025-07-01
4316ad64d
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Omar A.
Merge PR #4949 from @omaramin17 - Add new rules related to Hdiutil usage
2024-08-10
bfc5586e4
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022