Analytics Story: MacOS Privilege Escalation
Description
Monitor for and investigate activities that may be associated with a MacOS privilege-escalation attack, including unusual processes running on endpoints, schedule task, services, setuid, root execution and more.
Why it matters
Privilege escalation is a "land-and-expand" technique, wherein an adversary gains an initial foothold on a host and then exploits its weaknesses to increase his privileges. The motivation is simple: certain actions on a MacOS machine--such as installing software--may require higher-level privileges than those the attacker initially acquired. By increasing his privilege level, the attacker can gain the control required to carry out his malicious ends. This Analytic Story provides searches to detect and investigate behaviors that attackers may use to elevate their privileges in your environment.
Detections
| Name | Technique | Type |
|---|---|---|
| MacOS Gatekeeper Bypass | Gatekeeper Bypass | Anomaly |
| MacOS Kextload Usage | Create or Modify System Process | TTP |
| MacOS Keychains Dumped | Keychain | TTP |
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Osquery Results | Other | osquery:results |
osquery |
References
Source: GitHub | Version: 1