Full Disk Access Permission Check
Detects suspicious access to the /Library/Preferences/com.apple.TimeMachine.plist file, indicating a potential attempt to verify or exploit Full Disk Access (FDA) permissions. This file is often checked by malware to confirm FDA privileges, which allow unrestricted access to sensitive user data.
Rule type: eql
Rule indices:
- logs-endpoint.events.file-*
Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:
Tags:
- Domain: Endpoint
- OS: macOS
- Use Case: Threat Detection
- Tactic: Discovery
- Data Source: Elastic Defend
Version: ?
Rule authors:
- Elastic
Rule license: Elastic License v2
file where host.os.type == "macos" and event.action == "open" and
file.path == "/Library/Preferences/com.apple.TimeMachine.plist" and
(process.name in ("osascript", "perl", "node", "ruby", "bash", "sh", "Terminal") or
process.name like "python*" or
process.code_signature.trusted == false or
process.code_signature.exists == false)
Framework: MITRE ATT&CK
Tactic:
- Name: Discovery
- Id: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
Technique:
- Name: File and Directory Discovery
- Id: T1083
- Reference URL: https://attack.mitre.org/techniques/T1083/
Framework: MITRE ATT&CK
Tactic:
- Name: Defense Evasion
- Id: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Abuse Elevation Control Mechanism
- Id: T1548
- Reference URL: https://attack.mitre.org/techniques/T1548/
Sub Technique:
- Name: TCC Manipulation
- Id: T1548.006
- Reference URL: https://attack.mitre.org/techniques/T1548/006/