MacOS Firewall Configuration Enumeration
Adversaries may enumerate MacOS firewall configurations to identify potential attack surfaces and determine active rules by executing commands like `defaults read /Library/Preferences/com.apple.alf` and `/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate`.
This threat brief addresses the reconnaissance activity of enumerating macOS firewall configurations. Attackers may use built-in macOS utilities like defaults and socketfilterfw to gather information about the firewall's status, allowed applications, and configured network flows. While these tools are legitimate and used by administrators, their execution, especially by non-administrative users or during unusual times, can indicate malicious reconnaissance. Specifically, the commands defaults read /Library/Preferences/com.apple.alf and /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate provide detailed firewall information. Defenders should monitor for the execution of these commands, focusing on unusual parent processes or user contexts, to detect early-stage intrusion attempts on macOS systems.
Attack Chain
- The attacker gains initial access to a macOS endpoint, potentially through social engineering or exploiting a software vulnerability.
- The attacker executes the command
defaults read /Library/Preferences/com.apple.alfto read the firewall's preferences file, revealing allowed applications and other settings. - The attacker executes the command
/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstateto determine the global state of the application firewall (enabled/disabled). - The attacker analyzes the output of these commands to identify potential weaknesses in the firewall configuration, such as overly permissive rules or disabled features.
- Based on the gathered information, the attacker plans subsequent actions, such as attempting to exploit allowed network services or bypass firewall rules.
- The attacker attempts lateral movement by exploiting identified vulnerabilities or misconfigurations to access other systems on the network.
Impact
Successful enumeration of macOS firewall configurations allows attackers to gain a deeper understanding of the target system's security posture. This knowledge can be leveraged to bypass security controls, identify vulnerable services, and ultimately compromise the system. While this activity itself does not directly cause damage, it significantly increases the likelihood of successful exploitation and data breach.
Recommendation
- Enable process execution logging on macOS endpoints using osquery, Endpoint Security framework, or an EDR solution to capture command-line arguments (
data_source). - Deploy the Sigma rule
MacOS List Firewall Rulesto your SIEM and tune the filtermacos_list_firewall_rules_filterto reduce false positives from legitimate administrative activity (rules). - Investigate any execution of
defaults read /Library/Preferences/com.apple.alfor/usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstateby non-administrative users or from unexpected parent processes (rules). - Review firewall rules regularly to ensure they are correctly configured and do not allow unnecessary network access (overview).
Detection coverage 2
MacOS List Firewall Rules via Defaults
lowDetects attempts to enumerate macOS firewall rules using the `defaults` command.
MacOS Get Firewall Global State via Socketfilterfw
lowDetects attempts to get the macOS firewall's global state using `socketfilterfw`.
Detection queries are available on the platform. Get full rules →