Elevated Access MalOps - Research

Elevated access includes behaviors where a process or other item receives privileges outside their normal level. This is also known as privilege escalation. Some security programs do not classify elevated access as a critical vulnerability, but it is a necessary step in attacks. Elevated access typically occurs through one of a few methods: vulnerability exploitation, code injection, using the RunAs command if the credentials are known, or using tools such as PowerUp which combine various methods using PowerShell.

The ‘Attempt to disable macOS Gatekeeper’ is triggered when a process tries to disable the native macOS Gatekeeper functionality to elevate the process privileges.

This MalOp is part of the RESEARCH stability group.

Supported OS for this MalOp: macOS

Next steps: Attempt to disable macOS Gatekeeper

• Investigate the process in question and view the Element Details about the processes.

• Investigate the process hierarchy to see what other activities are happening.

• Kill the process if necessary