What do XProtect BehaviourService and Bastion rules do?
Not content with two different XProtects, Apple added a third to macOS Ventura, XProtect BehaviorService (XBS), part of the new Bastion behavioural-based malware detection system. Rather than performing on-demand or periodic scans of static code, this watches for potentially malicious behaviours, such as attempts to access folders used by browsers such as Safari and Google Chrome. This article summarises what XBS is doing as we prepare to upgrade from Sonoma to Sequoia.
What they do
Apple tells us precious little about XBS and Bastion, mentioning them in its Platform Security Guide: “In addition, XProtect contains an advanced engine to detect unknown malware based on behavioral analysis. Information about malware detected by this engine, including what software was ultimately responsible for downloading it, is used to improve XProtect signatures and macOS security.”
At present, XBS and Bastion only record suspicious events in the XBS database at /var/protected/xprotect/XPdb, report them to Apple, but don’t attempt to intervene in any way. They determine what to report according to a set of rules applied by syspolicyd that are compiled from source files updated inside XProtect Remediator update bundles. Changes in those, in XPR’s scanning modules, and in XProtect’s detection signatures, are reported on this blog for each update released by Apple.
Development
Over the period since its introduction, Bastion rules have grown steadily, from four to 12:
In macOS 13.5 (24 July 2023) there were 4 rules, increasing to 5 in September 2023.
XProtect Remediator (XPR) 108 (8 August 2023) brought the first separate Bastion rule update.
XPR 112 added rules 6 and 7.
XPR 123 added rules 8 and 9, and adjusted rule 7.
XPR 130 added rule 10.
XPR 131 added rule 11.
XPR 137 added rule 12, and amended rules 6 and 7.
Updates provided in XProtect Remediator contain two files for XBS and Bastion:
bastion.sb, a text file containing the latest Bastion SystemPolicyConfiguration, its rules;
BastionMeta.plist, a property list defining behaviour dictionaries for XBS and Bastion.
Bastion rules
The Bastion SystemPolicyConfiguration file bastion.sb is prefaced with the line (version 3), which hasn’t changed since the first update.
This first defines four groups of processes: usual-offenders, common exceptions to several rules, and separate groups of exceptions to each of Bastion rules 1, 2, 3 and 12. For example, com.apple.mds and other Spotlight indexing processes are usual-offenders, while com.apple.Finder is only a rule-one-offender. Interestingly, three of the XProtect Remediator scanning modules (MRTv3, Pirrit and WaterNet) are included in the list of usual-offenders.
Using those lists of exceptions, Bastion rules are then built as filters:
excludes other processes from accessing private data for Google Chrome, Firefox and Safari;
excludes other processes from accessing private data for Messages, Microsoft Teams, Slack and WhatsApp;
excludes other processes from accessing the QuarantineEvents database;
controls access to two socket ioctl commands SIOCIFCREATE and SIOCGIFDESC;
controls access to writing files with a period/stop at the start of their name within Library/PrivilegedHelperTools/ directories.
controls creating or writing to files with a name starting with com within /Library/Application Support/
controls creating or writing to files with a name starting with com within /Library/Application Support/ and user /Library/Application Support/ directories
controls creating or writing to files with a name starting with a period/stop, other than .DS_Store, in user /Library/Application Support/ directories
excludes other processes from creating or writing to files in user /Library/Containers/com.apple.Safari/Data/Library/Safari/AppExtensions/ directories
controls creating or writing to files with a name starting with a period/stop, other than .DS_Store, .betamigrated and .localized, in the /Users/Shared/ directory
controls execution of processes from files with a name starting with a period/stop in the /Users/Shared/ directory
excludes other processes from accessing private data for Notes, Safari Cookies, Chrome, Brave, Microsoft Edge, Opera, Vivaldi, Firefox, Arc, other cookies, Electrum and Coinomi wallets, Exodus, atomic, Binance, Filezilla, Steam and Discord.
The updated bastion.sb file supplied in XPR updates is explicitly referenced by syspolicyd to replace the version embedded in its own code.
BastionMeta.plist
This property list contains a metadata dictionary of 12 behaviours, each correlating with a Bastion rule. Each has a Signature Name, such as macOS.NetworkSniffer.Generic, a Boolean value indicating the need for immediate reporting, and a binary flag ranging from 1 to 2048. The behaviours are named:
Browser
Messages
QntDb
NetworkSniffer
HiddenPrivilegedHelpers
ADLOAD NumericPath
ADLOAD PersistenceSearch
Persistence HiddenAppSupport
Safari ExtensionModification
Persistence HiddenShared Generic
Persistence HiddenShared Exec
InfoStealers.
Behaviours detected
Individual rules currently detect:
attempts to access private browser data
attempts to access private messaging data
attempts to access quarantine records
attempts to perform network packet sniffing
attempts to write to hidden privileged helper apps
Adload behaviours
Adload persistence behaviours
persistence behaviour using hidden files in user /Library/Application Support/ directories
attempts to create and use Safari extensions
persistence behaviour using hidden files in /Users/Shared/
persistence behaviour running hidden files in /Users/Shared/
attempts by an InfoStealer to access a wide range of private data.
Summary
In macOS Ventura and later, XProtect BehaviorService (XBS) and its Bastion rules detect suspicious behaviours that might reflect malicious activity.
Bastion rules are updated within XProtect Remediator updates, using two files bastion.sb and BastionMeta.plist.
There are currently 12 Bastion rules, covering generic behaviours such as accessing private data, to those indicative of Adload and InfoStealer malware.
Suspicious behaviour is recorded locally to the XBS database and reported to Apple, but isn’t notified to the user.
Currently the primary purpose of XBS and Bastion is to provide Apple’s security team with intelligence to improve protection provided by XProtect and XProtect Remediator.
Reference
Chris Long, Leveraging Osquery To Examine The XProtect Behavioral Service DB
