Hidden Flag Set On File/Directory Via Chflags - MacOS

Rule Info

Name
Hidden Flag Set On File/Directory Via Chflags - MacOS
Author
Omar Khaled (@beacon_exe)
Description
Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS. When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
Reference
https://www.sentinelone.com/labs/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
Date
2024-08-21 00:00:00
Modified
None
Id
3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
Tags
attack.defense-evasion attack.t1218 attack.t1564.004 attack.t1552.001 attack.t1105
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe

Rule History

Author
Title
Date
Commit
Omar A.
Merge PR #4951 from @omaramin17 - Add `Hidden Flag Set On File/Directory Via Chflags - MacOS`
2024-08-21
a21ab6763
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022