The hypothesis is that an adversary is attempting to extract authorization tokens from macOS systems to gain elevated access or exfiltrate sensitive credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or privilege escalation attempts early.
YARA Rule
rule hacktool_macos_manwhoami_mmetokendecrypt
{
meta:
description = "This program decrypts / extracts all authorization tokens on macOS / OS X / OSX."
reference = "https://github.com/manwhoami/MMeTokenDecrypt"
author = "@mimeframe"
id = "8792bf45-9c92-53cf-a288-e38fe2a19642"
strings:
$a1 = "security find-generic-password -ws 'iCloud'" wide ascii
$a2 = "ERROR getting iCloud Decryption Key" wide ascii
$a3 = "Could not find MMeTokenFile. You can specify the file manually." wide ascii
$a4 = "Decrypting token plist ->" wide ascii
$a5 = "Successfully decrypted token plist!" wide ascii
condition:
3 of ($a*)
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: System Integrity Protection (SIP) bypass tool used during macOS maintenance or security audits.
Filter/Exclusion: process.name != " SIP Bypass Tool " or process.name != " SIPBypass "
Scenario: Scheduled job running security command to manage authorization tokens for system services.
Filter/Exclusion: process.name == "security" and process.args contains "set -f" or process.args contains "set -o"
Scenario: Admin task using Authorization Assistant to configure user permissions for network services.
Filter/Exclusion: process.name == "Authorization Assistant" or process.name == "AuthorizationAssistant"
Scenario: Automated script using osascript to interact with macOS authorization dialogs during deployment.
Filter/Exclusion: process.name == "osascript" and process.args contains "display dialog"
Scenario: macOS system update process that temporarily accesses authorization tokens during installation.
Filter/Exclusion: process.name == "softwareupdate" or process.name == "Install macOS"