Macos

A local attacker can exploit a vulnerability in CUPS to execute arbitrary program code with administrator privileges on Linux and macOS systems.

Adversaries are increasingly targeting macOS environments, leveraging native tools like Remote Application Scripting (RAS) and Spotlight metadata to bypass security controls for remote code execution and lateral movement.

This rule detects the initial creation or modification of a macOS LaunchAgent or LaunchDaemon plist file by a Python process, a common persistence technique employed by attackers using malicious scripts, compromised dependencies, or model file deserialization.

A use-after-free vulnerability exists in the `powerMonitor` module of Electron applications on Windows and macOS. When the native `PowerMonitor` object is garbage-collected, dangling references are retained by OS-level resources. Subsequent session-change events on Windows or system shutdowns on macOS may dereference freed memory, potentially leading to a crash or memory corruption.

CVE-2024-44250 is a permission issue in macOS Sequoia 15.1 that allows an application to execute arbitrary code outside of its sandbox or with elevated privileges, potentially leading to full system compromise.

This rule detects potential kubectl network configuration modification activity by monitoring for process events where the kubectl command is executed with arguments that suggest an attempt to modify network configurations in Kubernetes, potentially leading to unauthorized access or data exfiltration.

GhostLoader malware leverages GitHub repositories and AI-assisted development workflows to distribute credential-stealing payloads targeting macOS systems.

Malware is distributed via malicious advertisements on Google impersonating 'Claude Code', targeting both Windows and macOS operating systems with the goal of infecting users.

This rule detects GenAI tools on macOS connecting to unusual domains, potentially indicating command and control activity, data exfiltration, or malicious payload retrieval following compromise via prompt injection, malicious MCP servers, or poisoned plugins.

A machine learning job has detected a spike in bytes of data written to an external device via Airdrop, potentially indicating illicit data copying or transfer activities.