Threat Hunting Pids Within Apple’s Endpoint Security API The Apple Endpoint Security (ES) API provides a number of different process ID’s that can be used in our day to day threat hunting. For those of us that obsess over gettin the best visibility possible out of the activity occurring on Read more…
What does APT Activity Look Like on macOS? I often get asked what Advanced Persistent Activity (APT) or nation state hacking looks like on a macOS system. This is a great question and the answer is not widely known. Every APT entity has its own unique craft, but I often Read more…
Download ESFPlayground A Note: This tool has been upgraded since it’s original creation. Read the changes here The ESF Playground Over the past few months there have been multiple times where I’ve wanted to view all of the events in which the Apple Endpoint Security Framework (ESF) has to offer Read more…
Download MonitorUI MonitorUI For those that read my in depth coverage on low-level process hunting or any of my blogposts on TrueTree, you know that I’m a stickler for process hunting on macOS. For this reason, I have about a million and one different ways in which I like to Read more…
Hurdling the Running boards NOTE: This research was relevant on macOS 10.16 and prior. Changes to macOS 11 have broken this approach. The blog post remains for research but true tree has been rolled back to its previous state which does not attempt to get around the runningboardd “hurdles”. Welcome Read more…
Getting Stepped on by runningboards With the release of Big Sur back in November, I was relieved to see that my TrueTree tool was still running with no crashes on both the Intel and the new Apple M1 chip. Previous visitors to this site are probably aware of my obsession Read more…
Detecting SSH Activity via Process Monitoring During my time as a threat hunter, I’ve seen many intrusions start via SSH access using legitimate credentials. Now you might be thinking why on earth are users enabling the SSH service on macOS. Is that really necessary for basic users? Of course for Read more…
Download TrueTree Incident Response With TrueTree TrueTree is an open-source tool designed by me for threat hunters, incident responders, or anyone in between. If you read part one of this blog post, you know that nearly all processes on MacOS end up getting shown as a child of launchd due Read more…
Download TrueTree The TrueTree Concept The process tree is incredibly important when it comes to threat hunting. It doesn’t matter what platform you’re on. Every action that occurs on the operating system can be tied back to the process that caused it. Based on the combined actions that this process Read more…
Low-Level Process Hunting on macos Parent/child relationships are one of the simplest and most effective ways to detect malicious activity at the host level. On Unix, multiple methods can be used to create a process, all of which result in a different behavior on the operating system. These days, a Read more…