The presentation discusses the use of the Endpoint Security Framework (ESF) to detect gatekeeper bypasses in macOS.
- Gatekeeper is a security feature in macOS that checks for the presence of a quarantine attribute on downloaded applications before allowing them to run.
- Safari's Auto unzip feature was found to be bypassing Gatekeeper prompts by not applying the quarantine attribute to the application directory itself.
- The issue was traced to a bug in the bill of materials functionality, which caused the quarantine attribute to be applied to the recursive contents under the app directory instead of the directory itself.
- The ESF was used to detect this bypass by looking for a file rename event and ensuring that the Safari sandbox broker was moving an application from its temp file to the downloads folder, and that the quarantine attribute was applied.
- Behavioral detections like this can help detect new techniques even if they are not yet known.
- The ESF provides a streamlined way to access events from various sources in macOS, allowing developers to build detection engines and other tools.
- The presentation includes anecdotes about how the team discovered the bypass and traced it to the bill of materials bug.
The team discovered that Safari's Auto unzip feature was bypassing Gatekeeper prompts by downloading games in application form via zip archives. They found that the quarantine attribute was not being applied to the application directory itself, but only to the recursive contents under the app directory. Further investigation revealed that the issue was caused by a bug in the bill of materials functionality, which caused the quarantine attribute to be applied incorrectly. They used the ESF to detect this bypass by looking for a file rename event and ensuring that the quarantine attribute was applied.
Since its 2019 introduction in macOS Catalina, we have used the Apple Endpoint Security Framework (ESF) as an event source to fuel behavioral-based detections. In this talk, we will focus on the difference between the old and new ways of detecting malicious activity on macOS, speaking to why both are relevant today. We will break down how we use ESF data, both in its basic form, as well as a pivot point to perform more advanced detections. The Endpoint Security Framework provides many different fields that get overlooked in detection scenarios. We will show how we can use these clues to piece together a story about malicious activity that has taken place on a system. Finally, we will discuss examples where ESF has helped us identify that exploitation has taken place, including the detection of multiple 0-days.