Detects abuse of AuthorizationExecuteWithPrivileges API to gain elevated privileges via user credential prompts, typically through invocation of /usr/libexec/security_authtrampoline. Detection involves correlation of API usage, binary reputation, and prompt context.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | Execution of /usr/libexec/security_authtrampoline or child processes originating from non-trusted binaries triggering credential prompts |
| OS API Execution (DC0021) | macos:unifiedlog | Calls to AuthorizationExecuteWithPrivileges() observed via Apple System Logger or security_auditing tools |
| User Account Authentication (DC0002) | macos:unifiedlog | User credential prompt events without associated trusted installer package |
| Field | Description |
|---|---|
| BinaryReputationList | Allow list of trusted binaries invoking elevation prompts |
| TimeWindow | Temporal correlation threshold between API call and credential prompt |
| PromptContextValidation | Heuristic filters to determine whether a prompt context matches known legitimate installers |