csrutil #

Created by Megan Carney (https://infosec.exchange/@PwnieFan)

Description ##

Used to enable/disable SIP, configure netboot and authenticated-root settings

Paths ##

• /usr/bin/csrutil

Use Cases ##

Disable SIP ##

disable SIP (System Integrity Protection) - requires booting into recovery mode

csrutil disable

Disable authenticated-root ##

When authenticated-root is disabled, booting is allowed from non-sealed system snapshots - requires booting into recovery mode

csrutil authenticated-root disable

Add a netboot server ##

Insert a new IPv4 address in the list of allowed NetBoot sources

csrutil netboot add <address>

Map infrastructure ##

List allowed NetBoot sources

csrutil netboot list

Determine if SIP is enabled ##

Determine if System Integrity Protection is enabled

csrutil status

Detections ##

• Sigma: System Integrity Protection (SIP) Disabled

• Sigma: System Integrity Protection (SIP) Enumeration

Resources ##

• Discussion on how SIP interacts with bless and netboot

• MITRE ATT&CK T1518.001 Software Discovery: Security Software Discovery

• The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSSBackdoor Planting in Safari, and LeveragesTwo Zero-day Exploits