Disk Image Mounting Via Hdiutil - MacOS

Rule Info

Name
Disk Image Mounting Via Hdiutil - MacOS
Author
Omar Khaled (@beacon_exe)
Description
Detects the execution of the hdiutil utility in order to mount disk images.
Reference
https://www.loobins.io/binaries/hdiutil/
Date
2024-08-10 00:00:00
Modified
None
Id
bf241472-f014-4f01-a869-96f99330ca8c
Tags
attack.initial-access attack.collection attack.t1566.001 attack.t1560.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=bf241472-f014-4f01-a869-96f99330ca8c

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5506 from @nasbench -promote older rules status from `experimental` to `test`
2025-07-01
4316ad64d
david-syk
Merge PR #5388 from @david-syk - Update MITRE ATT&CK tags
2025-05-20
efcfe43fa
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Omar A.
Merge PR #4949 from @omaramin17 - Add new rules related to Hdiutil usage
2024-08-10
bfc5586e4
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022