Adversaries may use MacControl code tricks to execute arbitrary code with elevated privileges on macOS systems, bypassing standard security controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential privilege escalation attempts and mitigate advanced persistent threats.
YARA Rule
rule MacControlCode : MacControl Family
{
meta:
description = "MacControl code tricks"
author = "Seth Hardy"
last_modified = "2014-06-17"
strings:
// Load these function strings 4 characters at a time. These check the first two blocks:
$L4_Accept = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 3A 20 }
$L4_AcceptLang = { C7 ?? 41 63 63 65 C7 ?? 04 70 74 2D 4C }
$L4_Pragma = { C7 ?? 50 72 61 67 C7 ?? 04 6D 61 3A 20 }
$L4_Connection = { C7 ?? 43 6F 6E 6E C7 ?? 04 65 63 74 69 }
$GEThgif = { C7 ?? 47 45 54 20 C7 ?? 04 2F 68 2E 67 }
condition:
all of ($L4*) or $GEThgif
}This YARA rule can be deployed in the following contexts:
This rule contains 5 string patterns in its detection logic.
Scenario: A system administrator is using launchd to schedule a legitimate maintenance task.
Filter/Exclusion: Check for com.apple.launchd or launchd.plist files in the ~/Library/LaunchAgents or /Library/LaunchDaemons directories. Exclude tasks with known administrative purposes (e.g., com.apple.periodic).
Scenario: A developer is using osascript to automate a GUI interaction for a legitimate application.
Filter/Exclusion: Filter out processes where the command line includes osascript and the script path is within a known development directory (e.g., /Users/developer/Scripts/).
Scenario: A sysadmin is using sudo to run a one-time command for system configuration.
Filter/Exclusion: Exclude commands executed via sudo that match known administrative tasks (e.g., sudo launchctl load -w /Library/LaunchDaemons/com.example.service.plist).
Scenario: A scheduled job is running via cron to perform system backups.
Filter/Exclusion: Exclude entries in the crontab that match known backup tools (e.g., rsync, tar, or backupd) and are located in standard system directories like /etc/cron.d/.
Scenario: A security tool is injecting code via AppleScript to perform a legitimate security audit.
Filter/Exclusion: Exclude processes where the script is signed by a trusted security tool (e.g., com.security.tool.audit) and the execution path is within a known security tool directory.