The MacControl rule detects potential adversary behavior involving unauthorized control or configuration of macOS systems, which may indicate lateral movement or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage threats that could escalate into more severe compromises.
YARA Rule
rule MacControl : Family
{
meta:
description = "MacControl"
author = "Seth Hardy"
last_modified = "2014-06-16"
condition:
MacControlCode or MacControlStrings
}This YARA rule can be deployed in the following contexts:
Scenario: System Integrity Protection (SIP) enforcement by macOS
Filter/Exclusion: Exclude processes with com.apple.SIP in the command line or parent process chain.
Scenario: Scheduled maintenance tasks using launchd or cron
Filter/Exclusion: Exclude processes with launchd or cron in the command line, or with known maintenance job names like com.apple.periodic or com.apple.root.
Scenario: Admin task to configure system settings via profiles or configuration profiles
Filter/Exclusion: Exclude processes associated with profiles or configuration profiles (e.g., profiles tool or mobileconfig files).
Scenario: Security software or endpoint protection tools performing integrity checks
Filter/Exclusion: Exclude processes from known security tools like CrowdStrike, SentinelOne, or Palo Alto Networks using their respective process names or command-line arguments.
Scenario: User-initiated system updates or macOS upgrades via the App Store or Software Update
Filter/Exclusion: Exclude processes related to softwareupdate or App Store (e.g., App Store or softwareupdate) in the command line.