Full Report
Wiz customers can now detect vulnerabilities in MacOS workloads and their software components with agentless scanning, and assess their secure configurations against built-in CIS Benchmarks for Apple MacOS
Analysis Summary
This article describes a security product extension and does not detail specific malware, attack tools, or adversary TTPs in the traditional sense (e.g., C2 frameworks, exploits, adversarial techniques). Instead, it details a **defensive security solution's capabilities** for vulnerability and configuration management on macOS cloud instances.
Therefore, the summary will focus on the Wiz security solution and its capabilities as described in the context.
# Tool/Technique: Wiz Agentless Vulnerability Scanning for macOS
## Overview
Wiz is extending its agentless vulnerability scanning and host configuration assessment capabilities to cover macOS workloads, specifically targeting environments utilizing EC2 Mac instances in the cloud. The primary purpose is to provide continuous, agent-free visibility into vulnerabilities and configuration drift on macOS systems.
## Technical Details
- Type: Security Tool/Platform Feature
- Platform: macOS (specifically targeting cloud instances like AWS EC2 Mac)
- Capabilities: Agentless vulnerability scanning, host configuration assessment (CIS benchmarks), threat prioritization via Security Graph, inventory management.
- First Seen: Not explicitly stated (This is a product update, not a first sighting of malware).
## MITRE ATT&CK Mapping
Since this is a defensive tool, direct offense mapping is not applicable. However, the capabilities map to defensive/detection tactics:
- **TA0004 - Defense Evasion** (As the tool helps detect weaknesses adversaries might leverage)
- T1027 - Obfuscated Files or Information (Detection of potentially obfuscated/malicious software components)
- **TA0008 - Lateral Movement** (Identification of misconfigurations that enable movement)
- T1570 - Lateral Movement (Detection of vulnerable paths)
## Functionality
### Core Capabilities
- **Agentless Vulnerability Scanning:** Assesses workloads without requiring software deployment on the target machine, relying on API connectors.
- **Vulnerability Catalog:** Scans against a catalog of over 70k+ supported vulnerabilities.
- **Inventory Visibility:** Lists all detected macOS instances on the Inventory page.
- **Security Graph Modeling:** Models detected vulnerabilities to provide prioritization context (network exposure, permissions, secrets, etc.).
### Advanced Features
- **Host Configuration Assessment:** Integrates new rules aligned with **CIS for MacOS Benchmarks** to check configuration posture.
- **Threat Center Integration:** Allows immediate identification of workload exposure to the latest vulnerabilities.
- **Unified View:** Provides a consolidated approach to vulnerability management across multiple operating systems.
## Indicators of Compromise
*This section is not applicable as the context describes a defensive security solution, not an adversary tool.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
*This section is not applicable as the context describes a defensive security solution.*
- Associated Threat Actors: N/A
## Detection Methods
*This section describes detection capabilities embedded within the Wiz product itself.*
- Signature-based detection: Utilizes a catalog of over 70k+ known vulnerabilities.
- Behavioral detection: Models risk contextually using the Wiz Security Graph (e.g., exposure, permissions).
- YARA rules if available: Not specified.
## Mitigation Strategies
- **Vulnerability Remediation:** Identifying and prioritizing vulnerabilities in macOS workloads.
- **Configuration Hardening:** Aligning macOS host settings with industry best practices, specifically the CIS benchmarks provided by Wiz.
- **Unified Security Posture:** Ensuring consistent security monitoring across all cloud operating systems.
## Related Tools/Techniques
- Agent-based vulnerability scanners.
- Cloud Security Posture Management (CSPM) tools specialized in host configuration checks.
- Direct integration methods utilizing cloud provider APIs (like AWS APIs for EC2 management).