logo
allArticlesConferencesPresentations

Leveraging the Apple ESF for Behavioral Detections

Conference:  Black Hat USA 2022

2022-08-11

Summary

The presentation discusses the use of the Endpoint Security Framework (ESF) to detect gatekeeper bypasses in macOS.
  • Gatekeeper is a security feature in macOS that checks for the presence of a quarantine attribute on downloaded applications before allowing them to run.
  • Safari's Auto unzip feature was found to be bypassing Gatekeeper prompts by not applying the quarantine attribute to the application directory itself.
  • The issue was traced to a bug in the bill of materials functionality, which caused the quarantine attribute to be applied to the recursive contents under the app directory instead of the directory itself.
  • The ESF was used to detect this bypass by looking for a file rename event and ensuring that the Safari sandbox broker was moving an application from its temp file to the downloads folder, and that the quarantine attribute was applied.
  • Behavioral detections like this can help detect new techniques even if they are not yet known.
  • The ESF provides a streamlined way to access events from various sources in macOS, allowing developers to build detection engines and other tools.
  • The presentation includes anecdotes about how the team discovered the bypass and traced it to the bill of materials bug.
The team discovered that Safari's Auto unzip feature was bypassing Gatekeeper prompts by downloading games in application form via zip archives. They found that the quarantine attribute was not being applied to the application directory itself, but only to the recursive contents under the app directory. Further investigation revealed that the issue was caused by a bug in the bill of materials functionality, which caused the quarantine attribute to be applied incorrectly. They used the ESF to detect this bypass by looking for a file rename event and ensuring that the quarantine attribute was applied.

Abstract

Since its 2019 introduction in macOS Catalina, we have used the Apple Endpoint Security Framework (ESF) as an event source to fuel behavioral-based detections. In this talk, we will focus on the difference between the old and new ways of detecting malicious activity on macOS, speaking to why both are relevant today. We will break down how we use ESF data, both in its basic form, as well as a pivot point to perform more advanced detections. The Endpoint Security Framework provides many different fields that get overlooked in detection scenarios. We will show how we can use these clues to piece together a story about malicious activity that has taken place on a system. Finally, we will discuss examples where ESF has helped us identify that exploitation has taken place, including the detection of multiple 0-days.
Materials:
Tags:

Post a comment

Related work

MacOS Behavioral Detections using Apple Endpoint Security API

Conference:  RSA Conference 2023
Authors: Matt Benyo, Jaron Bradley
2023-04-24

Nothing but Net: Leveraging macOS's Networking Frameworks to Heuristically Detect Malware

Conference:  Defcon 31
Authors: Patrick Wardle Objective-See Foundation
2023-08-01

Office Drama on macOS

Conference:  BlackHat USA 2020
Authors:
2020-08-05

Don't Eat Spaghetti with a Spoon - An Analysis of the Practical Value of Threat Intelligence

Conference:  BlackHat EU 2018
Authors:
2018-12-06

Heroku Abuse Operations: Hunting Wolves in Sheep's Clothing

Conference:  BlackHat USA 2020
Authors:
2020-08-06

Kernel Mode Threats and Practical Defenses

Conference:  BlackHat USA 2018
Authors:
2018-08-09