The detection rule identifies potential adversary use of known malicious strings associated with MacControl, which may indicate unauthorized system control or data exfiltration. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage compromise and prevent lateral movement or persistence.
YARA Rule
rule MacControlStrings : MacControl Family
{
meta:
description = "MacControl Identifying Strings"
author = "Seth Hardy"
last_modified = "2014-06-17"
strings:
$ = "HTTPHeadGet"
$ = "/Library/launched"
$ = "My connect error with no ip!"
$ = "Send File is Failed"
$ = "****************************You Have got it!****************************"
condition:
any of them
}This YARA rule can be deployed in the following contexts:
Scenario: System Integrity Protection (SIP) Verification Process
Description: macOS periodically checks system integrity, which may involve scanning system files for known strings.
Filter/Exclusion: process.name != "spctl" or process.name != "codesign"
Scenario: macOS Software Update Installation
Description: During a macOS update, system tools like softwareupdate may execute scripts that contain strings matching the detection rule.
Filter/Exclusion: process.name != "softwareupdate" or process.name != "Install macOS"
Scenario: Admin Task – User Account Creation via dscl
Description: System administrators may use the dscl command to create user accounts, which can include strings that match the rule.
Filter/Exclusion: process.name != "dscl" or process.name != "launchd"
Scenario: Scheduled Job – Log Rotation via logrotate
Description: Log rotation scripts or tools like logrotate may include strings that trigger the rule during file processing.
Filter/Exclusion: process.name != "logrotate" or process.name != "rsyslog"
Scenario: Security Tool – Malware Scan with ClamAV
Description: Antivirus tools like ClamAV may scan files and include strings that match the detection rule during a scan.
Filter/Exclusion: process.name != "clamscan" or process.name != "freshclam"