Apple Multiple Products Use-After-Free Vulnerability (CVE-2023-43000)

union DeviceProcessEvents, DeviceEvents
| where Timestamp > ago(7d)
| where DeviceOS has_any ("macOS", "iOS", "iPadOS")
| where (ActionType in ("ProcessCrashed", "ExploitGuardViolation") or FileName in ("sysdiagnose", "ReportCrash", "osanalyticshelper"))
| extend CrashSignal = iff(ActionType == "ProcessCrashed", "process_crash", "exploit_guard")
| join kind=leftouter (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemotePort in (80, 443, 4444, 1337, 8080, 8443)
    | project DeviceId, NetworkTimestamp=Timestamp, RemoteIP, RemotePort, InitiatingProcessFileName
) on DeviceId
| where NetworkTimestamp between ((Timestamp - 5m) .. (Timestamp + 5m)) or isnull(NetworkTimestamp)
| project Timestamp, DeviceId, DeviceName, FileName, ProcessCommandLine, ActionType, CrashSignal, RemoteIP, RemotePort, AccountName
| order by Timestamp desc

index=endpoint sourcetype IN ("jamf:pro", "crowdstrike:events:stream", "syslog") host=* 
(os_family="macOS" OR os_family="iOS" OR os_family="iPadOS")
| eval is_crash_event=if(match(event_type, "(?i)(crash|use.after.free|uaf|memory.corruption|segfault|SIGSEGV|SIGBUS)"), 1, 0)
| eval is_exploit_indicator=if(match(process_name, "(?i)(ReportCrash|sysdiagnose|osanalyticshelper|CrashReporter)"), 1, 0)
| where is_crash_event=1 OR is_exploit_indicator=1
| eval risk_score=case(
    is_crash_event=1 AND is_exploit_indicator=1, 90,
    is_crash_event=1, 60,
    is_exploit_indicator=1, 50,
    true(), 30
  )
| join type=left host [
    search index=network sourcetype IN ("paloalto:firewall", "cisco:asa", "zeek:conn") dest_port IN (4444, 1337, 8080, 8443)
    | stats count as outbound_suspicious by src_ip, dest_ip, dest_port
    | rename src_ip as host
  ]
| where risk_score >= 60
| stats count, max(risk_score) as max_risk, values(process_name) as processes, values(dest_ip) as suspicious_dests by host, user
| sort -max_risk

sequence by host.id with maxspan=10m
  [process where host.os.family == "macos"
   and (process.name in ("ReportCrash", "osanalyticshelper", "CrashReporter", "sysdiagnose")
        or event.action in ("process_stopped", "process_crash"))
  ] by process.pid
  [network where host.os.family == "macos"
   and network.direction == "outbound"
   and destination.port in (4444, 1337, 8080, 8443, 9001, 9002)
   and not destination.ip in ("127.0.0.1", "::1", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")
  ] by process.pid

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Process Name",
  "Event Category",
  magnitude,
  LOGSOURCENAME(logsourceid) as log_source
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Apple macOS Unified Log', 'CrowdStrike Falcon', 'Jamf Pro')
  AND ("Process Name" ILIKE '%ReportCrash%'
       OR "Process Name" ILIKE '%osanalyticshelper%'
       OR "Process Name" ILIKE '%CrashReporter%'
       OR "Event Category" ILIKE '%use-after-free%'
       OR "Event Category" ILIKE '%memory corruption%'
       OR "Event Category" ILIKE '%segmentation fault%')
  AND INCIDR(sourceip, '0.0.0.0/0')
  AND NOT INCIDR(destinationip, '10.0.0.0/8')
  AND NOT INCIDR(destinationip, '172.16.0.0/12')
  AND NOT INCIDR(destinationip, '192.168.0.0/16')
LAST 7 DAYS
ORDER BY devicetime DESC

_sourceCategory=endpoint/macos OR _sourceCategory=crowdstrike/events
| where os_family matches /(?i)mac[oO][sS]/ OR os_family matches /(?i)(iOS|iPadOS)/
| where process_name matches /(?i)(ReportCrash|CrashReporter|osanalyticshelper|sysdiagnose)/ 
     OR event_type matches /(?i)(crash|use.after.free|memory.corruption|sigsegv|sigbus)/
| timeslice 5m
| count by _timeslice, host, user, process_name, event_type
| join (
    _sourceCategory=network
    | where dest_port in ("4444","1337","8080","8443")
    | where !isNull(dest_ip)
    | count by host, dest_ip, dest_port
  ) on host
| where _count > 0
| fields _timeslice, host, user, process_name, event_type, dest_ip, dest_port
| sort by _timeslice desc

rule cve_2023_43000_apple_uaf_exploit {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects potential CVE-2023-43000 Apple use-after-free exploitation via crash reporter activity and suspicious network connections"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2023-43000"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    $crash.metadata.event_type = "PROCESS_LAUNCH"
    $crash.principal.hostname = $host
    $crash.target.process.file.full_path = /(?i)(ReportCrash|CrashReporter|osanalyticshelper|sysdiagnose)/
    $crash.principal.platform = "MAC"

    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.hostname = $host
    $net.network.direction = "OUTBOUND"
    $net.network.application_protocol != "DNS"
    not $net.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/
    $net.target.port in (4444, 1337, 8080, 8443, 9001)

  match:
    $host over 10m

  condition:
    $crash and $net
}

#event_simpleName IN (ProcessRollup2, NetworkConnectIP4, NetworkConnectIP6, SuspiciousKernelApiCall)
| $event_simpleName = "ProcessRollup2"
| ImageFileName MATCHES "(?i)/(ReportCrash|CrashReporter|osanalyticshelper|sysdiagnose)$"
| PlatformType = "Mac"
| join (
    #event_simpleName = "NetworkConnectIP4"
    | RemotePort IN [4444, 1337, 8080, 8443, 9001, 9002]
    | NOT RemoteAddressIP4 CIDR ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"]
    | select aid, RemoteAddressIP4, RemotePort, LocalAddressIP4, NetworkConnectTimestamp
  ) [aid, ComputerName]
| select ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4, RemotePort, ProcessStartTime, NetworkConnectTimestamp
| sort -ProcessStartTime