Responding to new threats with BeyondTrust Endpoint Privilege Management
Last updated
Was this helpful?
Last updated
Was this helpful?
With the recently disclosed vulnerability in macOS, patched by Apple under CVE-2021-30657, we can take a look at how BeyondTrust's Endpoint Privilege Management software for macOS endpoints can help to guard against such threats.
For a detailed analysis of CVE-2021-30657 see Patrick Wardle's blog post at
The specific attack vector here is an application bundle whose main "executable" is actually a script.
To block this type of application from running, edit your policy and find an Application group which is already set to be blocked. If your policy is based on the Quick Start for Mac policy, then a good candidate for this would be the Application group "Block - Applications" which applies to All Users.
In this group, insert a new application of type Script and set the matching criteria as follows
This regular expression will apply to any running script, and will match if the script name matches the preceeding .app folder name.
For example, the following will all match the above regular expression
MyMalware.app/Contents/MacOS/MyMalware
SillyApp.app/Contents/MacOS/SillyApp
AttemptedHijack.app/Contents/MacOS/AttemptedHijack
It is true that an application bundle on macOS can legitimately have a script as it's main application binary. If you follow best practises and use an application whitelisting based policy, rather than attempting to explicitly blacklist known malware, then you can pre-approve known applications that use this structure in your policy before the generic rule to block applications of this type are enforced on your endpoints.