|T1548.001||Setuid and Setgid|
|T1548.002||Bypass User Account Control|
|T1548.003||Sudo and Sudo Caching|
|T1548.004||Elevated Execution with Prompt|
Adversaries may leverage the
AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials. The
purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not
validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.
攻撃者は、ユーザーに認証情報の入力を促すことで 権限の昇格を行うために AuthorizationExecuteWithPrivileges API を利用すること ができます。このAPIの目的は、アプリケーションのインストールやアップデートなど、root権限での作戦を実行する簡単な方法をアプリケーション開発者に提供することです。この API は、root 権限を要求するプログラムが信頼できるソースからのものであるか、または悪意を持って変更されているかどうかを検証しません。
Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.
Adversaries may abuse
AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence
mechanisms. This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code. This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.
OSX/Shlayer can escalate privileges to root by asking the user for credentials.
System settings can prevent applications from running that haven't been downloaded through the Apple Store which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.
|ID||Data Source||Data Component||Detects|
|DS0009||Process||OS API Execution||
Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.
Consider monitoring for