tpwn exploits a null pointer dereference in XNU to escalate privileges to root.

Hunt Hypothesis

The hypothesis is that an adversary is leveraging a null pointer dereference vulnerability in XNU to escalate privileges to root on a target system. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts that may evade traditional detection methods.

YARA Rule

rule hacktool_macos_exploit_tpwn
{
    meta:
        description = "tpwn exploits a null pointer dereference in XNU to escalate privileges to root."
        reference = "https://www.rapid7.com/db/modules/exploit/osx/local/tpwn"
        author = "@mimeframe"
        id = "bfd4765a-2358-5de7-91e6-9c2e1b70780f"
    strings:
        $a1 = "[-] Couldn't find a ROP gadget, aborting." wide ascii
        $a2 = "leaked kaslr slide," wide ascii
        $a3 = "didn't get root, but this system is vulnerable." wide ascii
        $a4 = "Escalating privileges! -qwertyoruiop" wide ascii
    condition:
        2 of ($a*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://www.rapid7.com/db/modules/exploit/osx/local/tpwn
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using sudo to run a legitimate maintenance script that requires elevated privileges.
  Filter/Exclusion: Exclude processes where the command line includes sudo and the user is a member of the sudo group.

• Scenario: A scheduled job (e.g., cron job) is configured to run a legitimate system cleanup tool like logrotate or systemd-tmpfiles-clean.
  Filter/Exclusion: Exclude processes with command lines containing logrotate, systemd-tmpfiles-clean, or similar known system maintenance tools.

• Scenario: A developer is testing a kernel module or using a tool like kextutil to load a kernel extension for debugging purposes.
  Filter/Exclusion: Exclude processes with command lines containing kextutil or kernelcache related commands.

• Scenario: A security tool like osquery or sysdig is running a query to inspect system processes or kernel state.
  Filter/Exclusion: Exclude processes with command lines containing osquery, sysdig, or dtrace as part of normal monitoring activities.

• Scenario: A legitimate kernel patch or update is being applied using a tool like installer or softwareupdate on macOS.
  Filter/Exclusion: Exclude processes with command lines containing installer, softwareupdate, or pkgutil during system updates.