macOS Base VQL Sigma Model
#
This model is designed for triage of macOS systems using VQL-based
Sigma rules. The rules that use this model will be evaluated once
on all events.
After all relevant rules are evaluated, the collection is complete.
Rules that utilise this model may include a vql section which may
contain a VQL lambda to dictate how the event is generated. This
allows the rule itself to generate all relevant fields.
For example:
vql: |
x=>dict(
Timestamp=timestamp(epoch=now()),
EventData=dict(
FieldA="value",
FieldB=SomeVQLExpression
))
Log Sources
#
Following is a list of recognized log sources.
Field Mappings
#
The following field mappings can be used to access fields within the
event. Note that it is also possible to access the fields directly
(e.g. EventData.AccessMask)
View all Field Mappings
| Name | Mapping |
|---|
| AuthReason | x=>x.EventData.AuthReason |
| AuthValue | x=>x.EventData.AuthValue |
| Client | x=>x.EventData.Client |
| ClientType | x=>x.EventData.ClientType |
| EventData | x=>x.EventData |
| Flags | x=>x.EventData.Flags |
| IndirectObjectIdentifier | x=>x.EventData.IndirectObjectIdentifier |
| LastModified | x=>x.EventData.LastModified |
| Service | x=>x.EventData.Service |
| Timestamp | x=>x.Timestamp |
| User | x=>x.EventData.User |
vql/macos/*
#
This log source emits a single event. All rules using the log
source will receive this event, where they can run arbitrary VQL
queries to build the event themselves.
This is most useful for rules that want to generate their own
event data.
Details
VQL Query
#
SELECT timestamp(epoch=now()) AS Timestamp,
dict(
Computer=Hostname,
Channel="VQL Evaluation",
TimeCreated=dict(SystemTime=now())
) AS System,
dict() AS EventData
FROM scope()
Sample use in a sigma rule:
#
logsource:
category: vql
product: macos
*/macos/tcc
#
Queries the TCC (Transparency, Consent, and Control) database
for privacy permission grants. Returns one row per permission
entry from both system-wide and per-user TCC databases.
The Velociraptor client service (LaunchDaemon) must be granted
Full Disk Access to read the system-wide TCC.db.
Details
VQL Query
#
SELECT timestamp(epoch=last_modified) AS Timestamp,
dict(
Computer=Hostname,
Channel="TCC.db"
) AS System,
dict(
Service=service,
Client=client,
ClientType=client_type,
AuthValue=auth_value,
AuthReason=auth_reason,
User=if(condition=OSPath =~ "Users",
then=path_split(path=OSPath)[-5],
else="System"),
LastModified=timestamp(epoch=last_modified),
IndirectObjectIdentifier=indirect_object_identifier,
Flags=flags
) AS EventData
FROM foreach(row={
SELECT OSPath
FROM glob(globs=split(string="/Library/Application Support/com.apple.TCC/TCC.db,/Users/*/Library/Application Support/com.apple.TCC/TCC.db", sep=","))
}, query={
SELECT *, OSPath
FROM sqlite(file=OSPath, query="SELECT * FROM access")
})
Sample Events
#
TCC access entry
#
{"Timestamp":"2025-01-15T10:30:00Z","System":{"Computer":"mac-host.local","Channel":"TCC.db"},"EventData":{"Service":"kTCCServiceSystemPolicyAllFiles","Client":"/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal","ClientType":0,"AuthValue":2,"AuthReason":4,"User":"System","LastModified":"2025-01-15T10:30:00Z","IndirectObjectIdentifier":"UNUSED","Flags":0}}
Sample use in a sigma rule:
#
logsource:
product: macos
service: tcc