| ID | Technique | Tactic |
|---|---|---|
| T1016 | System Network Configuration Discovery | Discovery |
Detection: MacOS List Firewall Rules
Description
This analytic detects attempts to enumerate or verify the configuration of the macOS application firewall.
Specifically, it monitors executions of defaults read /Library/Preferences/com.apple.alf and /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate.
These commands provide insight into firewall status, allowed applications, and explicit authorization rules.
While they are legitimate administrative operations, adversaries may leverage them to identify potential attack surfaces, determine whether the firewall is active, or enumerate allowed network flows.
Monitoring for these commands, particularly when executed by non-administrative users or at unusual times, can provide early indication of reconnaissance activity on macOS endpoints
Search
1
2| tstats `security_content_summariesonly`
3 count
4 values(Processes.parent_process) AS parent_process
5 values(Processes.parent_process_exec) AS parent_process_exec
6 values(Processes.parent_process_id) AS parent_process_id
7 values(Processes.parent_process_name) AS parent_process_name
8 values(Processes.parent_process_path) AS parent_process_path
9 min(_time) as firstTime
10 max(_time) as lastTime
11
12from datamodel=Endpoint.Processes where
13(
14Processes.process_name = "defaults"
15Processes.process = "* read *",
16Processes.process = "*/Library/Preferences/com.apple.alf*"
17)
18OR
19(
20 Processes.process_name = "socketfilterfw"
21 Processes.process = "*--getglobalstate*"
22)
23
24by Processes.action Processes.dest Processes.process Processes.process_hash
25 Processes.process_id Processes.process_name Processes.process_path
26 Processes.user Processes.vendor_product
27
28
29| `drop_dm_object_name(Processes)`
30
31| `security_content_ctime(firstTime)`
32
33| `security_content_ctime(lastTime)`
34
35| `macos_list_firewall_rules_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Osquery Results | Other | 'osquery:results' |
'osquery' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| macos_list_firewall_rules_filter | search * |
macos_list_firewall_rules_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 10
APT19
APT3
APT32
APT41
APT42
BlackByte
Chimera
Darkhotel
Dragonfly
Earth Lusca
FIN13
GALLIUM
HAFNIUM
HEXANE
Higaisa
Ke3chang
Kimsuky
Lazarus Group
Lotus Blossom
Magic Hound
Medusa Group
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Naikon
OilRig
Play
Scattered Spider
SideCopy
Sidewinder
Stealth Falcon
TeamTNT
Threat Group-3390
Tropic Trooper
Turla
Volt Typhoon
Wizard Spider
ZIRCONIUM
admin@338
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
Collection of process execution events from macOS endpoints is required. This can be achieved using osquery's es_process_events table, EndpointSecurity framework integrations, or an EDR platform capable of recording process command lines. Ensure that captured events include at least the process path, full command line, user context, and timestamp.
Known False Positives
These commands are frequently executed by system administrators or IT personnel during routine configuration checks, troubleshooting, or automated maintenance scripts. Security tools or monitoring agents may also query firewall status for inventory or compliance purposes. To reduce false positives, consider excluding events from known administrative accounts, trusted management systems, or scheduled maintenance jobs.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
MacOS firewall rules listed via $process_name$ by $user$ on $dest$ using the command line $process$
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| user | user | 20 | parent_process_name, process_name, process |
| dest | system | 20 | parent_process_name, process_name, process |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | osquery |
osquery:results |
| Integration | ✅ Passing | Dataset | osquery |
osquery:results |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1