AN0408: Analytic 0408
Detection of PF firewall rule modifications via pfctl, socketfilterfw, or defaults write to com.apple.alf. Adversaries often disable firewall profiles entirely or whitelist malicious processes.
Analyst context for executives and security teams
AN0408 focuses on macOS firewall rule changes made through pfctl, socketfilterfw, or defaults writes to com.apple.alf. For leaders, the practical issue is not the command names themselves; it is whether the organization can tell when a host firewall posture is weakened or when a process is silently allowed through. That matters for endpoint containment, incident scoping, and proving that macOS security controls remain enforceable.
Executive priority
Prioritize this analytic where macOS endpoints support sensitive users, privileged administrators, developers, or business-critical operations. The key decision is whether SOC and IR teams have reliable evidence of firewall configuration changes and can distinguish approved administration from suspicious weakening of local controls. This also supports compliance and audit conversations around endpoint hardening, change control, and security monitoring evidence.
Technical view
Validate visibility for macOS process execution involving pfctl, socketfilterfw, and defaults writes targeting com.apple.alf. Because ATT&CK provides no official detection logic for this analytic, teams should build and test detections around firewall-disable actions, rule modifications, and application allow-list changes, then tune against legitimate administrator activity and managed configuration workflows. IR playbooks should treat unexpected firewall modification as a host-posture change requiring user, process, timestamp, command-line, and configuration review.
Likely telemetry
- macOS process execution telemetry, including executable path and command-line arguments
- Endpoint security or EDR events for pfctl, socketfilterfw, and defaults execution
- macOS unified logs or system logs related to application firewall and PF changes
- File or configuration change evidence for PF rules and com.apple.alf preferences where collected
- User, privilege, and parent-process context for the account making the change
Detection direction
- Confirm the organization actually collects command-line and parent-process context on macOS; process-name-only alerts are likely too noisy and easier to misinterpret.
- Create detections for suspicious use of pfctl, socketfilterfw, or defaults write against com.apple.alf, especially actions that disable profiles, modify rules, or allow specific processes.
- Tune expected activity from administrators, security tools, and approved endpoint management workflows, while retaining enough logging to investigate exceptions.
- Correlate firewall changes with authentication context, privilege elevation, software installation, and other endpoint events to reduce false positives.
- Because no ATT&CK relationship context or official detection logic is supplied, validate behavior in the local environment before using this as a coverage claim.
Mitigation priorities
- Establish a macOS firewall configuration baseline and require approved change paths for exceptions or disablement.
- Limit local administrative rights and monitor privileged changes to host firewall settings.
- Use centralized endpoint management or policy enforcement where appropriate to maintain expected firewall state.
- Ensure SOC and IR teams can retrieve historical evidence of firewall changes during investigations.
- Periodically test whether unauthorized or unexpected firewall modifications generate actionable alerts.
Analyst notes and limits
This object is a detection analytic for macOS only. The supplied description identifies firewall rule modification through pfctl, socketfilterfw, or defaults write to com.apple.alf, including disabling firewall profiles or whitelisting processes. No tactics, relationships, aliases, or official detection logic were supplied, so this take frames validation and control priorities rather than a specific ATT&CK technique mapping.
The source data does not provide detection pseudocode, data source mappings, related techniques, adversary usage, or mitigation text. Local macOS logging configuration, endpoint tooling, administrative workflows, and change-management records are required to determine actual coverage and alert quality.
Analytic 0408
Detection of PF firewall rule modifications via pfctl, socketfilterfw, or defaults write to com.apple.alf. Adversaries often disable firewall profiles entirely or whitelist malicious processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8700f209c1b2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0408Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.