Block Remote Access Enablement via systemsetup
Block systemsetup from enabling SSH or remote Apple Events while preserving other operations, stopping attackers from opening lateral movement channels.
Idea
"Living off the land," or using already-installed tools, is a common technique used by attackers. LOOBins is a great source of examples of this. For example, in their "Lateral Movement" section, the built-in systemsetup command can also be used to enable SSH access and remote Apple Events to maintain access to the host.
Since systemsetup is used for legitimate purposes, we don't want to block the command outright. Instead, we can use a CEL rule to only block the subactions that we don't want, such as enabling SSH (-setremotelogin) or remote Apple Events (-setremoteappleevents).
Solutions
- Signing ID
- CEL Expression
- Custom Message
Mitre Attack
Tactics
Techniques
Tags
Deployment Notes
This rule blocks the specific systemsetup flags that enable SSH (-setremotelogin) and remote Apple Events (-setremoteappleevents) while allowing all other systemsetup operations.
This is a great example of using CEL rules to surgically block dangerous operations in otherwise-legitimate system utilities.
False Positive Guidance
IT administrators may legitimately need to enable SSH or remote Apple Events via systemsetup. Consider using Workshop tags to exempt IT staff or create approval workflows for these operations.