{
	"id": "4b320a75-db88-4143-8acb-c338cc7a49f5",
	"created_at": "2026-04-06T00:08:41.383144Z",
	"updated_at": "2026-04-10T13:12:26.749175Z",
	"deleted_at": null,
	"sha1_hash": "c1dc4816c6ca0a55e4442196ff125628e6e05242",
	"title": "System extensions in macOS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57249,
	"plain_text": "System extensions in macOS\r\nArchived: 2026-04-05 18:38:12 UTC\r\nA Mac with macOS 10.15 or later enables developers to extend the capabilities of macOS by installing and\r\nmanaging system extensions that run in user space rather than at the kernel level. By running in user space, system\r\nextensions increase the stability and security of macOS. Even though kexts inherently have full access to the\r\nentire operating system, extensions running in user space are granted only the privileges necessary to perform\r\ntheir specified function.\r\nSystem extensions support robust management using a device management service, including the ability to allow\r\nall extensions from a specific developer or of a specific type (like network extensions) to load without user\r\ninteraction. Optionally, a device management service can disallow users from approving their own system\r\nextensions from loading.\r\nFor a Mac with macOS 12.0.1 or later, a dictionary in the System Extensions payload—called\r\nRemovableSystemExtensions —allows a device management service administrator to specify which apps can\r\nremove their own system extensions. No local administrator authentication is required to remove the system\r\nextensions. This is especially useful for vendors that may provide automated uninstallers for their apps.\r\nFor a Mac with macOS 11.3 through macOS 11.6.4, making changes to a system extension profile directly affects\r\nthe state of an extension. For example, if an extension is pending approval and a configuration profile is pushed\r\nthat allows the extension, the extension is allowed to load. Conversely, if an approval is revoked, the system\r\nextension is unloaded and marked for removal on the next restart of the Mac. If a system extension tries to unload\r\nitself, an interactive authentication dialog appears that requires administrator credentials to authorize the\r\nunloading.\r\nKernel extensions\r\nFor a Mac with macOS 11 or later, if third-party kernel extensions (kexts) are enabled, they can’t be loaded into\r\nthe kernel on demand. They require the user’s approval and restarting of the macOS to load the changes into the\r\nkernel, and they also require that the secure boot be configured to Reduced Security on a Mac with Apple silicon.\r\nDevelopers can use frameworks such as DriverKit and NetworkExtension to write USB and human interface\r\ndrivers, endpoint security tools (like data loss prevention or other endpoint agents), and VPN and network tools,\r\nall without needing to write kexts. Third-party security agents should be used only if they take advantage of these\r\nAPIs or have a robust road map to transition to them and away from kernel extensions.\r\nImportant: Kexts are no longer recommended for macOS. Kexts risk the integrity and reliability of the operating\r\nsystem. Users should prefer solutions that don’t require extending the kernel and use system extensions instead.\r\nhttps://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web\r\nPage 1 of 4\n\nAdd kexts on an Intel-based or Apple silicon Mac with macOS 11 or later\r\nIf you need to use kernel extensions, review the approval methods based on enrollment method.\r\nEnrollment\r\nmethod\r\nApproval method\r\nNot enrolled\r\nUser\r\nEnrollment\r\nWhen a new kext is installed and there’s an attempt to load it, a restart needs to be initiated\r\nby the user from the warning dialog in:\r\nmacOS 13 or later: Apple menu \u003e System Settings \u003e Privacy \u0026 Security.\r\nmacOS 12.0.1 or earlier: Apple menu \u003e System Preferences, \u003e Security \u0026 Privacy.\r\nThis restart initiates the rebuild of the AuxKC before to the kernel booting.\r\nDevice\r\nEnrollment\r\nAutomated\r\nDevice\r\nEnrollment\r\nEvery time a new kext is installed and there’s an attempt to load it, a restart needs to be\r\ninitiated by either:\r\nA local administrator account, from the warning in Privacy \u0026 Security in System\r\nSettings (macOS 13 or later) or the Security \u0026 Privacy pane of System Preferences\r\n(macOS 12.0.1 or earlier). A device management service can also allow this for\r\nstandard users.\r\nThe device management service itself, using the RestartDevice command with\r\nRebuildCache flagged. The AuxKC rebuilds the next time the Mac restarts. kexts\r\nalready discovered by macOS (for example, loaded by their software and blocked)\r\nare included, and the device management service can supply ones that haven’t yet\r\nattempted to load using the KextPaths key.\r\nNote: The device management service first needs to install a kext allow list profile that\r\nspecifies the kext. A Mac with macOS 11.3 or later optionally allows the service to notify\r\nthe user to complete the restart at their convenience.\r\nAdditional steps to add kexts on a Mac with Apple silicon\r\nIf you’re adding kernel extensions on a Mac with Apple silicon, you need to take additional steps.\r\nhttps://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web\r\nPage 2 of 4\n\nEnrollment method Approval method\r\nNot enrolled\r\nKext management by the user requires a restart to recoveryOS to\r\ndowngrade security settings. The user needs to press and hold the\r\npower button to restart into recoveryOS and authenticate as an\r\nadministrator. Only when recoveryOS is entered using the power\r\nbutton press does the Secure Enclave accept the change of policy.\r\nThe user needs to then select the checkbox Reduced Security and the\r\noption “Allow user management of kernel extensions from identified\r\ndevelopers” and restart the Mac.\r\nUser Enrollment\r\nThe user needs to restart into recoveryOS to downgrade security\r\nsettings. The user needs to press and hold the power button to restart\r\ninto recoveryOS and authenticate as a local administrator. Only when\r\nrecoveryOS is entered using the power button press does the Secure\r\nEnclave accept the change of policy. The user needs to then select\r\nReduced Security, check “Allow user management of kernel\r\nextensions from identified developers,” and restart the Mac.\r\nDevice Enrollment\r\nThe device management service needs to notify the user to restart\r\ninto recoveryOS to downgrade security settings. The user needs to\r\npress and hold the power button to restart into recoveryOS and\r\nauthenticate as an administrator. Only when using the power button\r\npress does the Secure Enclave accept the change of policy. The user\r\nneeds to then select Reduced Security, select “Allow remote\r\nmanagement of kernel extensions and automatic software updates,”\r\nand restart the Mac.\r\nTo learn if this feature is supported for your devices, consult your\r\ndeveloper’s device management service documentation.\r\nAutomated Device Enrollment\r\n(The serial number of the Mac needs\r\nto appear in Apple School Manager\r\nor Apple Business Manager, and the\r\nMac needs to enroll in a device\r\nmanagement service that links to\r\nDevice management services can manage this automatically.\r\nTo learn if this feature is supported for your devices, consult your\r\ndeveloper’s device management service documentation.\r\nhttps://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web\r\nPage 3 of 4\n\nEnrollment method Approval method\r\nApple School Manager or Apple\r\nBusiness Manager.)\r\nKernel extensions with System Integrity Protection\r\nIf System Integrity Protection (SIP) is enabled, the signature of each kext is verified before being included\r\nin the AuxKC.\r\nIf SIP is turned off, the kext signature isn’t enforced.\r\nThis approach allows Permissive Security flows for developers or users who aren’t part of the Apple Developer\r\nProgram to test kexts before they’re signed.\r\nSource: https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web\r\nhttps://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://support.apple.com/guide/deployment/system-and-kernel-extensions-in-macos-depa5fb8376f/web"
	],
	"report_names": [
		"web"
	],
	"threat_actors": [
		{
			"id": "9de1979b-40fc-44dc-855d-193edda4f3b8",
			"created_at": "2025-08-07T02:03:24.92723Z",
			"updated_at": "2026-04-10T02:00:03.755516Z",
			"deleted_at": null,
			"main_name": "GOLD LOCUST",
			"aliases": [
				"Anunak",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Silicon "
			],
			"source_name": "Secureworks:GOLD LOCUST",
			"tools": [
				"Carbanak"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "cfdd35af-bd12-4c03-8737-08fca638346d",
			"created_at": "2022-10-25T16:07:24.165595Z",
			"updated_at": "2026-04-10T02:00:04.887031Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Cosmic Wolf",
				"Marbled Dust",
				"Silicon",
				"Teal Kurma",
				"UNC1326"
			],
			"source_name": "ETDA:Sea Turtle",
			"tools": [
				"Drupalgeddon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "33ae2a40-02cd-4dba-8461-d0a50e75578b",
			"created_at": "2023-01-06T13:46:38.947314Z",
			"updated_at": "2026-04-10T02:00:03.155091Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"UNC1326",
				"COSMIC WOLF",
				"Marbled Dust",
				"SILICON",
				"Teal Kurma"
			],
			"source_name": "MISPGALAXY:Sea Turtle",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "62b1b01f-168d-42db-afa1-29d794abc25f",
			"created_at": "2025-04-23T02:00:55.22426Z",
			"updated_at": "2026-04-10T02:00:05.358041Z",
			"deleted_at": null,
			"main_name": "Sea Turtle",
			"aliases": [
				"Sea Turtle",
				"Teal Kurma",
				"Marbled Dust",
				"Cosmic Wolf",
				"SILICON"
			],
			"source_name": "MITRE:Sea Turtle",
			"tools": [
				"SnappyTCP"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434121,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1dc4816c6ca0a55e4442196ff125628e6e05242.pdf",
		"text": "https://archive.orkl.eu/c1dc4816c6ca0a55e4442196ff125628e6e05242.txt",
		"img": "https://archive.orkl.eu/c1dc4816c6ca0a55e4442196ff125628e6e05242.jpg"
	}
}