Threat Hunting Pids Within Apple’s Endpoint Security API The Apple Endpoint Security (ES) API provides a number of different process ID’s that can be used in our day to day threat hunting. For those of us that obsess over gettin the best visibility possible out of the activity occurring on the system, it’s best to take the time to fully understand these available pids and how they operate. This blog post lays the foundation for Read more…
What does APT Activity Look Like on macOS? I often get asked what Advanced Persistent Activity (APT) or nation state hacking looks like on a macOS system. This is a great question and the answer is not widely known. Every APT entity has its own unique craft, but I often find myself directing people to a talk I gave back in 2018 titled Macdoored. This talk primarily focused on a single entity intruding into a Read more…
Download ESFPlayground A Note: This tool has been upgraded since it’s original creation. Read the changes here The ESF Playground Over the past few months there have been multiple times where I’ve wanted to view all of the events in which the Apple Endpoint Security Framework (ESF) has to offer as they occur in real time and yet, no such tool exists. One of the reasons no such tool exists could be due to the Read more…
Download MonitorUI MonitorUI For those that read my in depth coverage on low-level process hunting or any of my blogposts on TrueTree, you know that I’m a stickler for process hunting on macOS. For this reason, I have about a million and one different ways in which I like to monitor process activity on macOS. Perhaps my favorite tool used to track processes in a hurry is Objective-See’s ProcessMonitor. Honestly, an underrated little tool that Read more…
Hurdling the Running boards NOTE: This research was relevant on macOS 10.16 and prior. Changes to macOS 11 have broken this approach. The blog post remains for research but true tree has been rolled back to its previous state which does not attempt to get around the runningboardd “hurdles”. Welcome back to the never ending adventure of trying to keep the TrueTree tool operational. For those that missed it last time, we discussed that macOS Read more…
Getting Stepped on by runningboards With the release of Big Sur back in November, I was relieved to see that my TrueTree tool was still running with no crashes on both the Intel and the new Apple M1 chip. Previous visitors to this site are probably aware of my obsession with creating process tree’s on macOS that are as useful as possible. In the past, I’ve written about how this can be accomplished. After taking the time Read more…
Detecting SSH Activity via Process Monitoring During my time as a threat hunter, I’ve seen many intrusions start via SSH access using legitimate credentials. Now you might be thinking why on earth are users enabling the SSH service on macOS. Is that really necessary for basic users? Of course for basic users, the answer is no. It’s not necessary at all, but I’d argue the odds are very good that macOS based build servers, test Read more…
Download TrueTree Incident Response With TrueTree TrueTree is an open-source tool designed by me for threat hunters, incident responders, or anyone in between. If you read part one of this blog post, you know that nearly all processes on MacOS end up getting shown as a child of launchd due to Apple’s unique XPC behavior. TrueTree works by collecting additional pid information from the system instead of just the standard pid and ppid. When executed, Read more…
Download TrueTree The TrueTree Concept The process tree is incredibly important when it comes to threat hunting. It doesn’t matter what platform you’re on. Every action that occurs on the operating system can be tied back to the process that caused it. Based on the combined actions that this process performed, a determination can be made as to whether it’s malicious or benign (or somewhere in between). The process in question will have its own Read more…
Low-Level Process Hunting on macos Parent/child relationships are one of the simplest and most effective ways to detect malicious activity at the host level. On Unix, multiple methods can be used to create a process, all of which result in a different behavior on the operating system. These days, a majority of host-based endpoint technologies provide ways to view process trees and write detections based on them. However, there is a fundamental understanding of process Read more…
