Responding to new threats with BeyondTrust Endpoint Privilege Management

Introduction

With the recently disclosed vulnerability in macOS, patched by Apple under CVE-2021-30657, we can take a look at how BeyondTrust's Endpoint Privilege Management software for macOS endpoints can help to guard against such threats.

For a detailed analysis of CVE-2021-30657 see Patrick Wardle's blog post at https://objective-see.com/blog/blog_0x64.html

Ok, I get it, the application bundle was actually a script, but how can I block this?

The specific attack vector here is an application bundle whose main "executable" is actually a script.

To block this type of application from running, edit your policy and find an Application group which is already set to be blocked. If your policy is based on the Quick Start for Mac policy, then a good candidate for this would be the Application group "Block - Applications" which applies to All Users.

In this group, insert a new application of type Script and set the matching criteria as follows

This regular expression will apply to any running script, and will match if the script name matches the preceeding .app folder name.

For example, the following will all match the above regular expression

MyMalware.app/Contents/MacOS/MyMalware

SillyApp.app/Contents/MacOS/SillyApp

AttemptedHijack.app/Contents/MacOS/AttemptedHijack

But some applications legitimately have a script as their main binary?

It is true that an application bundle on macOS can legitimately have a script as it's main application binary. If you follow best practises and use an application whitelisting based policy, rather than attempting to explicitly blacklist known malware, then you can pre-approve known applications that use this structure in your policy before the generic rule to block applications of this type are enforced on your endpoints.