Which SIEM platforms have a CVE-2021-30952 detection rule?

df00tech provides CVE-2021-30952 (CVE-2021-30952: Apple Multiple Products Integer Overflow Exploitation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2021-30952 detection?

The CVE-2021-30952 detection is rated high severity with medium confidence.

What are common false positives for CVE-2021-30952?

Common false positives for CVE-2021-30952 include: Legitimate Safari or WebKit updates being applied via software update mechanisms; Developer testing environments running WebKit debug builds; Security research tools performing WebKit fuzzing or vulnerability testing.

CVE-2021-30952 Google Chronicle · YARA-L

Detect CVE-2021-30952: Apple Multiple Products Integer Overflow Exploitation in Google Chronicle

Q: What data sources are required to detect CVE-2021-30952: Apple Multiple Products Integer Overflow Exploitation (CVE-2021-30952)?

Detecting CVE-2021-30952: Apple Multiple Products Integer Overflow Exploitation requires the following data sources: Microsoft Defender for Endpoint, Microsoft Sentinel.

Detects exploitation attempts of CVE-2021-30952, an integer overflow vulnerability in Apple Multiple Products. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Integer overflow conditions in Apple platform components can lead to memory corruption, arbitrary code execution, or privilege escalation.

MITRE ATT&CK

Tactic: Execution Privilege Escalation Initial Access

YARA-L Detection Query

Google Chronicle (YARA-L)

yaral

rule cve_2021_30952_apple_integer_overflow {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects potential exploitation of CVE-2021-30952 Apple integer overflow vulnerability"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2021-30952"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.platform = "MAC"
    (
      $e.target.process.file.full_path = /\/com\.apple\.WebKit\.WebContent/ nocase or
      $e.target.process.file.full_path = /\/Safari/ nocase or
      $e.target.process.file.full_path = /\/MobileSafari/ nocase
    )
    not $e.target.process.file.full_path = /^\/Applications\// nocase
    not $e.target.process.file.full_path = /^\/System\// nocase
    not $e.principal.process.file.full_path = /^\/System\/Library\// nocase
    not $e.principal.process.file.full_path = /\/launchd/ nocase

  condition:
    $e
}

high severity medium confidence

Chronicle YARA-L rule detecting WebKit and Safari process launches from non-standard paths on macOS, indicative of post-exploitation activity following CVE-2021-30952 integer overflow exploitation.

Data Sources

Google ChronicleChronicle Endpoint Telemetry

Required Tables

UDM Events

False Positives & Tuning

Enterprise applications installing WebKit components to non-standard directories
Developer builds of Safari or WebKit launched during application testing
Security research environments with modified Apple software paths

Other platforms for CVE-2021-30952

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate WebKit Process Spawning Shell from Non-Standard Path
Expected signal: Process creation event showing /tmp/webkit-sim/WebContent spawning with process name matching WebContent but executing from /tmp path
Test 2Create Persistence via LaunchAgent After Simulated WebKit Compromise
Expected signal: File creation event for plist in ~/Library/LaunchAgents/ followed by launchctl process execution loading the new agent
Test 3Simulate Integer Overflow Memory Pressure via Safari Crash Report Generation
Expected signal: File creation event for .crash file in /tmp with WebContent prefix; potential file integrity monitoring alert

Last updated: 2026-06-19 Research depth: standard

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2021-30952 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0002Execution TA0004Privilege Escalation TA0001Initial Access

Related Techniques

T1203Exploitation for Client Execution T1068Exploitation for Privilege Escalation T1190Exploit Public-Facing Application

Detect CVE-2021-30952: Apple Multiple Products Integer Overflow Exploitation in Google Chronicle

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2021-30952

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Execution

Popular Detections

MITRE ATT&CK

YARA-L Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2021-30952

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox