From 80968035bb3753056e788387c2997a193062ce89 Mon Sep 17 00:00:00 2001
From: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Date: Thu, 5 Feb 2026 11:20:16 -0600
Subject: [PATCH] MacOS detection rules tuning (#5667)

* Sync macOS detection rules with endpoint-rules logic

- Fix Bifrost Kerberos query logic (broken parentheses grouping)
- Add authenticate pattern and NinjaRMM exclusion to osascript phishing rule
- Update SCP privacy bypass to use 127.0.0.? loopback pattern
- Add wildcard EndpointSecurity pattern to kext unload rule

* Fix Safari settings rule to use targeted approach

- Change from broad catch-all with exclusions to targeted dangerous settings
- Only detect IncludeDevelopMenu and JavaScript setting changes
- Reduces false positives from benign Safari preference changes

* Add Parallels Desktop exclusion to Hosts File Modified rule

- Excludes /Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd (5,074 alerts in 90 days)
---
 rules/cross-platform/impact_hosts_file_modified.toml     | 3 ++-
 .../credential_access_promt_for_pwd_via_osascript.toml   | 6 ++++--
 ...lege_escalation_privacy_pref_sshd_fulldiskaccess.toml | 6 +++---
 rules/macos/defense_evasion_safari_config_change.toml    | 8 ++++----
 .../defense_evasion_unload_endpointsecurity_kext.toml    | 4 ++--
 ...vement_credential_access_kerberos_bifrostconsole.toml | 9 +++++++--
 6 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml
index 982cc50f0..f3a1b74f8 100644
--- a/rules/cross-platform/impact_hosts_file_modified.toml
+++ b/rules/cross-platform/impact_hosts_file_modified.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/07/07"
 integration = ["endpoint", "windows"]
 maturity = "production"
-updated_date = "2026/01/29"
+updated_date = "2026/02/02"
 
 [rule]
 author = ["Elastic"]
@@ -101,6 +101,7 @@ any where process.executable != null and
                                "C:\\Program Files (x86)\\Quick Heal AntiVirus Pro\\SCANNER.EXE",
                                "C:\\Program Files\\Quick Heal\\Quick Heal Internet Security\\scanner.exe",
                                "C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe",
+                               "/Applications/Parallels Desktop.app/Contents/MacOS/prl_naptd",
                                "/opt/IBM/InformationServer/Server/DSEngine/bin/uvsh",
                                "/usr/local/demisto/server", 
                                "/usr/local/bin/defender")
diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml
index 6aa6ae4ce..24d5fa1fb 100644
--- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml
+++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/16"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/04/21"
+updated_date = "2026/02/02"
 
 [rule]
 author = ["Elastic"]
@@ -60,13 +60,15 @@ type = "eql"
 
 query = '''
 process where event.action == "exec" and host.os.type == "macos" and
- process.name == "osascript" and process.args == "-e" and process.command_line like~ ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*", "*pass*display*dialog*") and
+ process.name == "osascript" and process.args == "-e" and process.command_line like~ ("*osascript*display*dialog*password*", "*osascript*display*dialog*passphrase*", "*osascript*display*dialog*authenticate*", "*pass*display*dialog*") and
  not (process.parent.executable == "/usr/bin/sudo" and process.command_line like~ "*Encryption Key Escrow*") and
  not (process.command_line like~ "*-e with timeout of 3600 seconds*" and user.id like "0" and process.parent.executable == "/bin/bash") and
+ not process.parent.command_line like "sudo*" and
  not process.Ext.effective_parent.executable like~
                                                ("/usr/local/jamf/*",
                                                 "/Library/Intune/Microsoft Intune Agent.app/Contents/MacOS/IntuneMdmDaemon",
                                                 "/Library/Application Support/Mosyle/MosyleMDM.app/Contents/MacOS/MosyleMDM",
+                                                "/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent",
                                                 "/Applications/Karabiner-Elements.app/Contents/MacOS/Karabiner-Elements",
                                                 "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon",
                                                 "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfManagementService.app/Contents/MacOS/JamfManagementService")
diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
index f4f12731d..edcdf2e93 100644
--- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
+++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/01/11"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/18"
+updated_date = "2026/02/02"
 
 [rule]
 author = ["Elastic"]
@@ -63,8 +63,8 @@ query = '''
 process where host.os.type == "macos" and event.type in ("start", "process_started") and
  process.name == "scp" and
  process.args like~ "StrictHostKeyChecking=no" and
- process.command_line : ("scp *localhost:/*", "scp *127.0.0.1:/*") and
- not process.args : "vagrant@*127.0.0.1*"
+ process.command_line like~ ("*scp *localhost:/*", "*scp *127.0.0.?:/*") and
+ not process.command_line like~ "*vagrant@*127.0.0.1*"
 '''
 note = """## Triage and analysis
 
diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml
index e68881163..4a35cd072 100644
--- a/rules/macos/defense_evasion_safari_config_change.toml
+++ b/rules/macos/defense_evasion_safari_config_change.toml
@@ -2,7 +2,7 @@
 creation_date = "2021/01/14"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/18"
+updated_date = "2026/02/02"
 
 [rule]
 author = ["Elastic"]
@@ -58,9 +58,9 @@ type = "eql"
 
 query = '''
 process where host.os.type == "macos" and event.type in ("start", "process_started") and
-  process.name == "defaults" and process.args like~ ("com.apple.Safari", "write") and 
-  not process.args like~ ("UniversalSearchEnabled", "SuppressSearchSuggestions", "WebKitTabToLinksPreferenceKey", 
-                          "ShowFullURLInSmartSearchField", "com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks")
+  process.name == "defaults" and process.args like~ "write" and
+  process.command_line like~ "*com.apple.Safari*" and 
+  process.command_line like~ ("*IncludeDevelopMenu*", "*JavaScript*")
 '''
 note = """## Triage and analysis
 
diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
index 93c5eb03a..11135c572 100644
--- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
+++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/01/05"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/18"
+updated_date = "2026/02/02"
 
 [rule]
 author = ["Elastic"]
@@ -53,7 +53,7 @@ type = "eql"
 
 query = '''
 process where host.os.type == "macos" and event.type in ("start", "process_started") and
- process.name == "kextunload" and process.args like~ ("/System/Library/Extensions/EndpointSecurity.kext", "EndpointSecurity.kext")
+ process.name == "kextunload" and process.args like~ ("*.EndpointSecurity", "/System/Library/Extensions/EndpointSecurity.kext", "EndpointSecurity.kext")
 '''
 note = """## Triage and analysis
 
diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
index 396e39d34..23775e461 100644
--- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
+++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/01/12"
 integration = ["endpoint"]
 maturity = "production"
-updated_date = "2025/03/18"
+updated_date = "2026/02/02"
 
 [rule]
 author = ["Elastic"]
@@ -58,7 +58,12 @@ type = "eql"
 
 query = '''
 process where host.os.type == "macos" and event.type in ("start", "process_started") and
- process.args like~ "-action" and (process.args like~ ("-kerberoast", "askhash", "asktgs", "asktgt", "s4u") or process.args like~ ("-ticket", "ptt") or process.args like~ "dump") and process.args like~ ("tickets", "keytab")
+ process.args like~ "-action" and
+ (
+  process.args like~ ("-kerberoast", "askhash", "asktgs", "asktgt", "s4u") or
+  (process.args like~ "-ticket" and process.args like~ "ptt") or
+  (process.args like~ "dump" and process.args in~ ("tickets", "keytab"))
+ )
 '''
 note = """## Triage and analysis