Apple Multiple Products Improper Locking Vulnerability (CVE-2025-43510)

union DeviceProcessEvents, DeviceEvents
| where DeviceOS startswith "Mac" or DeviceOS startswith "iOS" or DeviceOS startswith "iPadOS"
| where Timestamp > ago(7d)
| where (
    (ActionType == "ProcessCrashed" and InitiatingProcessFileName in~ ("kernel_task", "launchd", "SpringBoard", "backboardd")) or
    (ActionType in ("ProcessCreated", "ProcessInjected") and AccountName != "root" and InitiatingProcessIntegrityLevel in ("Low", "Medium") and ProcessIntegrityLevel == "System") or
    (FileName in~ ("osascript", "bash", "zsh", "python3") and ProcessCommandLine has_any ("sudo", "setuid", "seteuid", "pthread_mutex", "dispatch_semaphore"))
)
| extend RiskScore = case(
    ActionType == "ProcessInjected", 90,
    ProcessIntegrityLevel == "System" and AccountName != "root", 85,
    ActionType == "ProcessCrashed" and InitiatingProcessFileName == "kernel_task", 75,
    50
)
| project Timestamp, DeviceName, DeviceOS, AccountName, ActionType, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessIntegrityLevel, RiskScore
| sort by RiskScore desc, Timestamp desc

index=mac_edr OR index=apple_mdm OR index=endpoint sourcetype IN ("jamf:pro", "crowdstrike:events:sensor", "sentinelone:activity", "carbon_black:edr")
| where match(os_version, "(?i)(mac|ios|ipados|tvos|watchos|visionos)")
| eval risk_score=0
| eval risk_score=if(match(event_type, "(?i)(kernel_panic|kernel_crash|process_crash)") AND match(process_name, "(?i)(kernel_task|launchd|springboard|backboardd)"), risk_score+75, risk_score)
| eval risk_score=if(match(event_type, "(?i)(privilege_escalation|setuid|seteuid)") AND NOT match(user, "(?i)(root|_daemon|_system)"), risk_score+85, risk_score)
| eval risk_score=if(match(event_type, "(?i)(process_inject|code_inject|dylib_inject)"), risk_score+90, risk_score)
| eval risk_score=if(match(cmdline, "(?i)(pthread_mutex|dispatch_semaphore|os_lock|OSSpinLock)"), risk_score+60, risk_score)
| where risk_score >= 60
| stats count, max(risk_score) as max_risk, values(event_type) as event_types, values(cmdline) as commands, dc(host) as host_count by host, user, process_name, _time
| sort - max_risk
| table _time, host, user, process_name, event_types, commands, max_risk, count

sequence by host.name, user.name with maxspan=5m
  [process where host.os.family == "macos"
   and event.action in ("start", "fork")
   and not user.name in ("root", "_daemon", "_windowserver", "_mdnsresponder")
   and process.name in ("bash", "zsh", "sh", "python3", "osascript", "perl")
  ]
  [process where host.os.family == "macos"
   and event.action == "start"
   and (
     process.args : ("*pthread_mutex*", "*dispatch_semaphore*", "*OSSpinLock*", "*os_unfair_lock*") or
     user.effective.id == 0 and user.id != "0"
   )
  ]
| head 200

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "Process Name",
  "Command Line",
  "Process ID",
  magnitude
FROM events
WHERE
  (devicetype = 73 OR LOGSOURCENAME(logsourceid) ILIKE '%apple%' OR LOGSOURCENAME(logsourceid) ILIKE '%jamf%' OR LOGSOURCENAME(logsourceid) ILIKE '%mac%')
  AND (
    ("Event Category" ILIKE '%privilege%' AND username NOT IN ('root', '_daemon', '_system', '_windowserver'))
    OR ("Event Category" ILIKE '%kernel%panic%')
    OR ("Command Line" ILIKE '%pthread_mutex%' OR "Command Line" ILIKE '%dispatch_semaphore%' OR "Command Line" ILIKE '%os_unfair_lock%')
    OR ("Process Name" IN ('bash','zsh','sh','python3','osascript') AND "Effective User ID" = '0' AND username != 'root')
  )
  AND LOGSOURCETIME(devicetime) > NOW() - 7 DAYS
ORDER BY magnitude DESC, devicetime DESC
LIMIT 500

_sourceCategory=apple* OR _sourceCategory=macos* OR _sourceCategory=jamf* OR _sourceCategory=endpoint/mac
| where (%"os.family" = "macos" OR %"os.type" matches /(?i)(mac|ios|ipados)/)
| parse field=%"event.action" "*" as event_action
| parse field=%"process.name" "*" as proc_name nodrop
| parse field=%"process.args" "*" as proc_args nodrop
| parse field=%"user.name" "*" as username nodrop
| where (
    (event_action in ("kernel_panic", "kernel_crash", "process_crash") and proc_name in ("kernel_task", "launchd", "SpringBoard"))
    or (event_action in ("privilege_escalation", "setuid_event") and username != "root")
    or (proc_name in ("bash","zsh","sh","python3","osascript") and (proc_args matches /pthread_mutex|dispatch_semaphore|os_unfair_lock|OSSpinLock/))
)
| eval risk = if(event_action = "privilege_escalation", "HIGH", if(event_action in ("kernel_panic","kernel_crash"), "HIGH", "MEDIUM"))
| count by _sourceHost, username, proc_name, event_action, risk
| sort by risk, _count desc

rule cve_2025_43510_apple_improper_locking {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects exploitation indicators for CVE-2025-43510 Apple Improper Locking Vulnerability"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-43510"
    yara_version = "YL2.0"
    rule_version = "1.0"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and $e.principal.platform = "MAC"
      and (
        $e.target.process.file.full_path = /\/(bash|zsh|sh|python3|osascript|perl)$/
        or $e.target.process.command_line = /pthread_mutex|dispatch_semaphore|os_unfair_lock|OSSpinLock/
      )
      and not $e.principal.user.userid in ("root", "_daemon", "_system", "_windowserver")
    )
    or
    (
      $e.metadata.event_type = "PROCESS_UNCATEGORIZED"
      and $e.principal.platform = "MAC"
      and $e.metadata.description = /kernel_panic|kernel_crash/
    )
    or
    (
      $e.metadata.event_type = "USER_PRIVILEGE_ESCALATION"
      and $e.principal.platform = "MAC"
      and $e.target.user.userid = "root"
      and not $e.principal.user.userid = "root"
    )

  condition:
    $e
}

#event_simpleName=ProcessRollup2 OR #event_simpleName=SyntheticProcessRollup2 OR #event_simpleName=CriticalFileAccessed
| $falcon.system = "Mac"
| $UserName != "root"
| $UserName != "_daemon"
| $UserName != "_system"
| $UserName != "_windowserver"
| case {
    $ImageFileName = /\/(bash|zsh|sh|python3|osascript|perl)$/ AND $CommandLine = /pthread_mutex|dispatch_semaphore|os_unfair_lock|OSSpinLock/ : $risk_reason = "locking_api_abuse";
    $event_simpleName = "CriticalFileAccessed" AND $TargetFileName = /\/System\/Library\/Kernels\// : $risk_reason = "kernel_file_access";
    $ParentBaseFileName IN ("bash", "zsh", "sh", "python3", "osascript") AND $UserIsAdmin = "1" AND $RequestedPrivileges = /SeTcbPrivilege|SeDebugPrivilege/ : $risk_reason = "privilege_escalation";
    * : $risk_reason = "other"
  }
| $risk_reason != "other"
| groupBy([$aid, $ComputerName, $UserName, $ImageFileName, $CommandLine, $risk_reason], function=([count(as=event_count), min(ContextTimeStamp, as=first_seen), max(ContextTimeStamp, as=last_seen)]))
| sort($event_count, order=desc)