TCC Bypass via Mounted APFS Snapshot Access
Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file system, including all user data and files protected by Apple’s privacy framework (TCC).
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/01/04"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots
11as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file
12system, including all user data and files protected by Apple’s privacy framework (TCC).
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.*"]
16language = "kuery"
17license = "Elastic License v2"
18name = "TCC Bypass via Mounted APFS Snapshot Access"
19references = ["https://theevilbit.github.io/posts/cve_2020_9771/"]
20risk_score = 73
21rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6"
22setup = """## Setup
23
24This rule requires data coming in from Elastic Defend.
25
26### Elastic Defend Integration Setup
27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
28
29#### Prerequisite Requirements:
30- Fleet is required for Elastic Defend.
31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
32
33#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
34- Go to the Kibana home page and click "Add integrations".
35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
36- Click "Add Elastic Defend".
37- Configure the integration name and optionally add a description.
38- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
43- Click "Save and Continue".
44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
46"""
47severity = "high"
48tags = [
49 "Domain: Endpoint",
50 "OS: macOS",
51 "Use Case: Threat Detection",
52 "Tactic: Defense Evasion",
53 "Use Case: Vulnerability",
54 "Data Source: Elastic Defend",
55 "Resources: Investigation Guide",
56]
57timestamp_override = "event.ingested"
58type = "query"
59
60query = '''
61event.category:process and host.os.type:macos and event.type:(start or process_started) and process.name:mount_apfs and
62 process.args:(/System/Volumes/Data and noowners)
63'''
64note = """## Triage and analysis
65
66> **Disclaimer**:
67> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
68
69### Investigating TCC Bypass via Mounted APFS Snapshot Access
70
71Apple's TCC framework safeguards user data by controlling app access to sensitive files. Adversaries exploit APFS snapshots, mounting them with specific flags to bypass these controls, gaining unauthorized access to protected data. The detection rule identifies this misuse by monitoring the execution of the `mount_apfs` command with parameters indicative of such bypass attempts, flagging potential security breaches.
72
73### Possible investigation steps
74
75- Review the process execution details to confirm the presence of the `mount_apfs` command with the specific arguments `/System/Volumes/Data` and `noowners` to verify the alert's accuracy.
76- Investigate the user account associated with the process execution to determine if the activity aligns with expected behavior or if it indicates potential unauthorized access.
77- Examine the timeline of events leading up to and following the alert to identify any related suspicious activities or processes that may indicate a broader attack or compromise.
78- Check for any recent changes or anomalies in system configurations or user permissions that could have facilitated the bypass attempt.
79- Correlate the alert with other security logs or alerts to assess if this is part of a larger pattern of malicious behavior or an isolated incident.
80
81### False positive analysis
82
83- System maintenance tools or backup software may legitimately use the mount_apfs command with the noowners flag for routine operations. Users can create exceptions for these specific tools by identifying their process names or paths and excluding them from the detection rule.
84- Developers or IT administrators might use the mount_apfs command during testing or troubleshooting. To prevent these activities from triggering false positives, users can whitelist specific user accounts or IP addresses associated with these roles.
85- Automated scripts or scheduled tasks that require access to APFS snapshots for legitimate purposes might trigger the rule. Users should review these scripts and, if deemed safe, add them to an exclusion list based on their unique identifiers or execution context.
86- Security software or monitoring tools that perform regular checks on file system integrity might inadvertently match the rule's criteria. Users can mitigate this by identifying these tools and excluding their specific process signatures from the detection parameters.
87
88### Response and remediation
89
90- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
91- Terminate any suspicious processes related to the `mount_apfs` command to halt ongoing unauthorized access attempts.
92- Conduct a thorough review of system logs and user activity to identify any data accessed or exfiltrated during the breach.
93- Restore any compromised files from a known good backup to ensure data integrity and security.
94- Update macOS and all installed applications to the latest versions to patch any vulnerabilities that may have been exploited.
95- Implement stricter access controls and monitoring for APFS snapshot usage to prevent similar bypass attempts in the future.
96- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures."""
97
98
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1006"
103name = "Direct Volume Access"
104reference = "https://attack.mitre.org/techniques/T1006/"
105
106
107[rule.threat.tactic]
108id = "TA0005"
109name = "Defense Evasion"
110reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating TCC Bypass via Mounted APFS Snapshot Access
Apple's TCC framework safeguards user data by controlling app access to sensitive files. Adversaries exploit APFS snapshots, mounting them with specific flags to bypass these controls, gaining unauthorized access to protected data. The detection rule identifies this misuse by monitoring the execution of the mount_apfs
command with parameters indicative of such bypass attempts, flagging potential security breaches.
Possible investigation steps
- Review the process execution details to confirm the presence of the
mount_apfs
command with the specific arguments/System/Volumes/Data
andnoowners
to verify the alert's accuracy. - Investigate the user account associated with the process execution to determine if the activity aligns with expected behavior or if it indicates potential unauthorized access.
- Examine the timeline of events leading up to and following the alert to identify any related suspicious activities or processes that may indicate a broader attack or compromise.
- Check for any recent changes or anomalies in system configurations or user permissions that could have facilitated the bypass attempt.
- Correlate the alert with other security logs or alerts to assess if this is part of a larger pattern of malicious behavior or an isolated incident.
False positive analysis
- System maintenance tools or backup software may legitimately use the mount_apfs command with the noowners flag for routine operations. Users can create exceptions for these specific tools by identifying their process names or paths and excluding them from the detection rule.
- Developers or IT administrators might use the mount_apfs command during testing or troubleshooting. To prevent these activities from triggering false positives, users can whitelist specific user accounts or IP addresses associated with these roles.
- Automated scripts or scheduled tasks that require access to APFS snapshots for legitimate purposes might trigger the rule. Users should review these scripts and, if deemed safe, add them to an exclusion list based on their unique identifiers or execution context.
- Security software or monitoring tools that perform regular checks on file system integrity might inadvertently match the rule's criteria. Users can mitigate this by identifying these tools and excluding their specific process signatures from the detection parameters.
Response and remediation
- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
- Terminate any suspicious processes related to the
mount_apfs
command to halt ongoing unauthorized access attempts. - Conduct a thorough review of system logs and user activity to identify any data accessed or exfiltrated during the breach.
- Restore any compromised files from a known good backup to ensure data integrity and security.
- Update macOS and all installed applications to the latest versions to patch any vulnerabilities that may have been exploited.
- Implement stricter access controls and monitoring for APFS snapshot usage to prevent similar bypass attempts in the future.
- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures.
References
Related rules
- Attempt to Disable Gatekeeper
- Attempt to Install Root Certificate
- Attempt to Unload Elastic Endpoint Security Kernel Extension
- Creation of Hidden Launch Agent or Daemon
- Elastic Agent Service Terminated