Taking The macOS Endpoint Security Framework For A Quick Spin

This post is a short writeup on testing I have done with the macOS Endpoint Security framework available in Catalina. For background info, several good posts have been written on the Endpoint Security Framework:

My testing approach is simply running file and process monitor tools that use the Endpoint Security Framework while performing post exploitation tasks to get a feel for what events were captured and what those events look like.

Test Approach

For my testing, I used a post exploitation POC in Swift that I wrote:

My test setup:

  • Tested on Catalina 10.15.3 inside of a Fusion VM:

Results

Overall, I think all of the Endpoint Security Framework tools (ProcessMonitor.app and FileMonitor.app by Patrick Wardle and Appmon.app by Chris Ross) are very neat tools that did a great job of displaying ESF capabilities and capturing various types of events. I gained insight into how offensive tooling using API calls can still be detected using file open/modification events. This insight can be helpful for both red and blue teams.

Below is a brief writeup of each test run and the results:

  1. Post Exploitation Task tested: Initial payload execution (in this case “./MacShellSwift”)

→Seen By ProcessMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_FORK and ES_EVENT_TYPE_NOTIFY_EXEC)

→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)

→Seen by Appmon.app?? YES (ES_EVENT_NOTIFY_EXEC, ES_EVENT_TYPE_NOTIFY_OPEN, ES_EVENT_TYPE_NOTIFY_MMAP)

2. Post Exploitation Task tested: Running Shell Commands (ex: “whoami”, “hostname”, “launchctl”)

→Seen by ProcessMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_FORK, ES_EVENT_TYPE_NOTIFY_EXEC)

→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…however it’s not immediately clear that the “/usr/bin/whoami” binary was run from MacShellSwift

→Seen by Appmon.app?? YES (ES_EVENT_NOTIFY_FORK, ES_EVENT_NOTIFY_EXEC, ES_EVENT_NOTIFY_OPEN)

3. Post Exploitation Task tested: Taking a screenshot via the Cocoa API and sending to server without dropping to disk (i.e., MacShellSwift “screenshot” command)

→Seen by ProcessMonitor.app?? Did not appear to capture this activity

→Seen by FileMonitor.app?? Did not appear to capture this activity

→Seen by Appmon.app?? It did capture several ES_EVENT_TYPE_NOTIFY_OPEN events with a path of appmon but not sure if the events were tied specifically to the screenshot…

4. Post Exploitation Task tested: Taking a screenshot via the screencapture command line utility (i.e., “screencapture -x -t jpg out.jpg”)

→Seen by ProcessMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_FORK, ES_EVENT_TYPE_NOTIFY_EXEC)

→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN, ES_EVENT_TYPE_NOTIFY_WRITE)…FileMonitor captured the screenshot being written to disk as a NOTIFY_WRITE event

→Seen by Appmon.app?? YES (ES_EVENT_NOTIFY_EXEC)

5. Post Exploitation Task tested: Dumping clipboard via Cocoa API (NSPasteboard)

→Seen by ProcessMonitor.app?? Did not appear to capture this activity

→Seen by FileMonitor.app?? Did not appear to capture this activity

→Seen by Appmon.app?? Did not appear to capture this activity

6. Post Exploitation Task tested: Dumping clipboard via osascript (i.e., “osascript -e ‘return (the clipboard)’”)

→Seen by ProcessMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_FORK, ES_EVENT_TYPE_NOTIFY_EXEC)

→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…it captured a NOTIFY_OPEN event on the MacShellSwift binary but I did not see any details specifying the osascript command run

→Seen by Appmon.app? YES (ES_EVENT_TYPE_NOTIFY_EXEC)

7. Post Exploitation Task tested: Listing local users via the Cocoa API (i.e., MacShellSwift “listusers” command)

→Seen by ProcessMonitor.app?? Did not appear to capture this activity

→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)caught the binary doing an “open” on the /Users directory (which is what it uses to enumerate local users)

→Seen by Appmon.app?? Did not appear to capture this activity

8. Post Exploitation Task tested: Gathering basic system info via the Cocoa API (i.e., MacShellSwift “systeminfo” command)

→Seen by ProcessMonitor.app?? Did not appear to capture this activity

→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…FileMonitor captured an open event on /System/Library/CoreServices/SystemVersion.plist, which shows that the MacShellSwift code pulls from the SystemVersion.plist file to get some system information. Same for /System/Library/CoreServices/SystemVersion.bundle

→Seen by Appmon.app?? Did not see any events specific to MacShellSwift captured

9. Post Exploitation Task tested: Reading user bash history (via the FileManager class…(i.e., MacShellSwift “userhist” command))

→Seen by ProcessMonitor.app?? Did not appear to capture this activity

→Seen by FileMonitor.app?? YES (ES_EVENT_TYPE_NOTIFY_OPEN)…FileMonitor captured an Open event on the .bash_history file, which the code programmatically reads from to extract bash history data

→Seen by Appmon.app?? Did not appear to capture this activity

10. Post Exploitation Task tested: Reading internal IP addresses via the Cocoa API (i.e., MacShellSwift “addresses” command)

→Seen by ProcessMonitor.app?? Did not appear to capture this activity

→Seen by FileMonitor.app?? Did not appear to capture this activity

→Seen by Appmon.app?? Did not appear to capture this activity

Summary

Thanks to Chris Ross and Patrick Wardle for developing and sharing their ESF logging tools (ProcessMonitor.app, FileMonitor.app, and Appmon.app) so that I could easily download them and run tests! Overall, I think the Endpoint Security Framework offers some neat native capabilities for defenders on Mac. ESF seems to be very strong around capturing command line executions and file open/modification events, which can be very helpful for defenders. The only logging gap I observed was when API calls are made that do not perform file open/modification events and do not write to disk (see example #3 above with in memory screenshots done via Cocoa API calls). Still, I think ESF has potential and is a step towards getting macOS event logging closer to its Windows counterpart with sysmon.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cedric Owens

Cedric Owens

Red teamer with blue team roots🤓👨🏽‍💻 Twitter: @cedowens