Taking The macOS Endpoint Security Framework For A Quick Spin
This post is a short writeup on testing I have done with the macOS Endpoint Security framework available in Catalina. For background info, several good posts have been written on the Endpoint Security Framework:
- Detection Engineering Using Apple’s Endpoint Security Framework by Richie Cyrus: https://posts.specterops.io/detection-engineering-using-apples-endpoint-security-framework-affdbcb18b02
- Writing a Process Monitor with Apple’s Endpoint Security Framework by Patrick Wardle: https://objective-see.com/blog/blog_0x47.html
- Writing a File Monitor with Apple’s Endpoint Security Framework by Patrick Wardle: https://objective-see.com/blog/blog_0x48.html
My testing approach is simply running file and process monitor tools that use the Endpoint Security Framework while performing post exploitation tasks to get a feel for what events were captured and what those events look like.
Test Approach
For my testing, I used a post exploitation POC in Swift that I wrote:
My test setup:
- Tested on Catalina 10.15.3 inside of a Fusion VM:
- Used Objective See’s ProcessMonitor.app as a means of Endpoint Security Framework process monitoring (https://bitbucket.org/objective-see/deploy/downloads/ProcessMonitor_1.3.0.zip)
- Used Objective See’s FileMonitor.app as a means of Endpoint Security Framework file monitoring (https://bitbucket.org/objective-see/deploy/downloads/FileMonitor_1.2.0.zip)
- Used Chris Ross’s Appmon.app tool as a means of Endpoint Security Framework monitoring (https://bitbucket.org/xorrior/appmon/src/master/)
- As noted above, I used MacShellSwift as the offensive tooling to test; i ran the client mach-o payload inside of the Catalina VM and had it connect to the server on my host Mac
- I then ran various post exploitation commands from within MacShellSwift and watched Process Monitor to see what post exploitation events were captured
- I also ran some commands directly from the Terminal
Results
Overall, I think all of the Endpoint Security Framework tools (ProcessMonitor.app and FileMonitor.app by Patrick Wardle and Appmon.app by Chris Ross) are very neat tools that did a great job of displaying ESF capabilities and capturing various types of events. I gained insight into how offensive tooling using API calls can still be detected using file open/modification events. This insight can be helpful for both red and blue teams.
Below is a brief writeup of each test run and the results:
- Post Exploitation Task tested: Initial payload execution (in this case “./MacShellSwift”)
→Seen By ProcessMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_FORK and ES_EVENT_TYPE_NOTIFY_EXEC)
→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)
→Seen by Appmon.app?? YES (ES_EVENT_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_OPEN, ES_EVENT_TYPE_NOTIFY_MMAP)
2. Post Exploitation Task tested: Running Shell Commands (ex: “whoami”, “hostname”, “launchctl”)
→Seen by ProcessMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_FORK, ES_EVENT_TYPE_NOTIFY_EXEC)
→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…however it’s not immediately clear that the “/usr/bin/whoami” binary was run from MacShellSwift
→Seen by Appmon.app?? YES (ES_EVENT_NOTIFY_FORK, ES_EVENT_NOTIFY_EXEC, ES_EVENT_NOTIFY_OPEN)
3. Post Exploitation Task tested: Taking a screenshot via the Cocoa API and sending to server without dropping to disk (i.e., MacShellSwift “screenshot” command)
→Seen by ProcessMonitor.app?? Did not appear to capture this activity
→Seen by FileMonitor.app?? Did not appear to capture this activity
→Seen by Appmon.app?? It did capture several ES_EVENT_TYPE_NOTIFY_OPEN events with a path of appmon but not sure if the events were tied specifically to the screenshot…
4. Post Exploitation Task tested: Taking a screenshot via the screencapture command line utility (i.e., “screencapture -x -t jpg out.jpg”)
→Seen by ProcessMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_FORK, ES_EVENT_TYPE_NOTIFY_EXEC)
→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN, ES_EVENT_TYPE_NOTIFY_WRITE)…FileMonitor captured the screenshot being written to disk as a NOTIFY_WRITE event
→Seen by Appmon.app?? YES (ES_EVENT_NOTIFY_EXEC)
5. Post Exploitation Task tested: Dumping clipboard via Cocoa API (NSPasteboard)
→Seen by ProcessMonitor.app?? Did not appear to capture this activity
→Seen by FileMonitor.app?? Did not appear to capture this activity
→Seen by Appmon.app?? Did not appear to capture this activity
6. Post Exploitation Task tested: Dumping clipboard via osascript (i.e., “osascript -e ‘return (the clipboard)’”)
→Seen by ProcessMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_FORK, ES_EVENT_TYPE_NOTIFY_EXEC)
→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…it captured a NOTIFY_OPEN event on the MacShellSwift binary but I did not see any details specifying the osascript command run
→Seen by Appmon.app? YES (ES_EVENT_TYPE_NOTIFY_EXEC)
7. Post Exploitation Task tested: Listing local users via the Cocoa API (i.e., MacShellSwift “listusers” command)
→Seen by ProcessMonitor.app?? Did not appear to capture this activity
→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…caught the binary doing an “open” on the /Users directory (which is what it uses to enumerate local users)
→Seen by Appmon.app?? Did not appear to capture this activity
8. Post Exploitation Task tested: Gathering basic system info via the Cocoa API (i.e., MacShellSwift “systeminfo” command)
→Seen by ProcessMonitor.app?? Did not appear to capture this activity
→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…FileMonitor captured an open event on /System/Library/CoreServices/SystemVersion.plist, which shows that the MacShellSwift code pulls from the SystemVersion.plist file to get some system information. Same for /System/Library/CoreServices/SystemVersion.bundle
→Seen by Appmon.app?? Did not see any events specific to MacShellSwift captured
9. Post Exploitation Task tested: Reading user bash history (via the FileManager class…(i.e., MacShellSwift “userhist” command))
→Seen by ProcessMonitor.app?? Did not appear to capture this activity
→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…FileMonitor captured an Open event on the .bash_history file, which the code programmatically reads from to extract bash history data
→Seen by Appmon.app?? Did not appear to capture this activity
10. Post Exploitation Task tested: Reading internal IP addresses via the Cocoa API (i.e., MacShellSwift “addresses” command)
→Seen by ProcessMonitor.app?? Did not appear to capture this activity
→Seen by FileMonitor.app?? Did not appear to capture this activity
→Seen by Appmon.app?? Did not appear to capture this activity
Summary
Thanks to Chris Ross and Patrick Wardle for developing and sharing their ESF logging tools (ProcessMonitor.app, FileMonitor.app, and Appmon.app) so that I could easily download them and run tests! Overall, I think the Endpoint Security Framework offers some neat native capabilities for defenders on Mac. ESF seems to be very strong around capturing command line executions and file open/modification events, which can be very helpful for defenders. The only logging gap I observed was when API calls are made that do not perform file open/modification events and do not write to disk (see example #3 above with in memory screenshots done via Cocoa API calls). Still, I think ESF has potential and is a step towards getting macOS event logging closer to its Windows counterpart with sysmon.
