Elevated Execution with Prompt

攻击者可以通过提示用户输入凭据来利用AuthorizationExecuteWithPrivileges API升级特权。此API的目的是为应用程序开发人员提供一种使用root特权执行操作的简便方法，例如用于应用程序安装或更新。此API不会验证请求root特权的程序是否来自信誉良好的源或已被恶意修改。尽管不推荐使用此API，但它仍可在最新版本的macOS中完全发挥作用。调用此API时，将提示用户输入其凭据，但不检查程序的来源或完整性。调用API的程序还可以加载可写的世界文件，可以将其修改为以提升的特权执行恶意行为。

攻击者可能滥用AuthorizationExecuteWithPrivileges以获得root特权，以便在受害者上安装恶意软件并安装持久性机制。该技术可以与伪装(T1036)结合使用，以欺骗用户向恶意代码授予逐步升级的特权。通过修改使用此API的计算机上存在的合法程序，该技术也已显示出有效

Elevated Execution with Prompt

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.[1] The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms. This technique may be combined with Masquerading to trick the user into granting escalated privileges to malicious code.[2][3] This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.[2]

标签

ID编号： T1514

策略： 特权升级

平台： macOS

所需权限： 管理员，user

有效权限： root

数据源： 文件监视，过程监视，API监视

程序示例

名称	描述
OSX/Shlayer (S0402)	OSX/Shlayer (S0402)可以通过询问用户凭据来将特权升级为root用户。

Name	Description
OSX/Shlayer(S0402)	OSX/Shlayer (S0402) can escalate privileges to root by asking the user for credentials.

缓解措施

缓解	描述
执行预防(M1038)	系统设置可以阻止尚未通过Apple Store下载的应用程序运行，这可能有助于缓解其中的一些问题。不允许运行未签名的应用程序也可以减轻一些风险。

Mitigation	Description
Execution Prevention(M1038)	System settings can prevent applications from running that haven't been downloaded through the Apple Store which may help mitigate some of these issues. Not allowing unsigned applications from being run may also mitigate some risk.

检测

考虑监视/usr/libexec/security_authtrampoline可能表明正在执行AuthorizationExecuteWithPrivileges的执行。MacOS系统日志还可以指示何时调用AuthorizationExecuteWithPrivileges。监视OS API回调的执行也可以是检测此行为的一种方式，但需要专门的安全工具。

Consider monitoring for /usr/libexec/security_authtrampoline executions which may indicate that AuthorizationExecuteWithPrivileges is being executed. MacOS system logs may also indicate when AuthorizationExecuteWithPrivileges is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.