![]() ![]() ![]() EG7KH642X6 is the unique team identifier for VMWare used to identify all apps signed by VMWare. In this case, the signed value is 1, with a corresponding authority value of “Developer ID Application: VMWare. select path,name,label,run_at_load,program_arguments from launchd where path like ‘/Library/Launch%’ This narrows our dataset to exclude launchAgents & Daemons that are in the “/System” folder, which is protected by System Integrity Protection. We’ll build on our initial query to look for user-level LaunchAgents & Daemons, which are located in /Library/LaunchAgents and /Library/LaunchDaemons directories. The binaries associated with legitimate com.apple.* LaunchAgents and LaunchDaemons are signed by Apple, however. It is common for attackers to create labels starting with “com.apple.” to blend in with legitimate LaunchAgents and LaunchDaemons on a system with the same label prefix. Below is a simple query that demonstrates the data osquery exposes to us. The table that contains LaunchAgents/LaunchDaemons information is launchd. The osquery schema shows the tables that are available for use for a given operating system and the data type for each column in a table. Let’s generate a malicious LaunchDaemon via Empire. Thus, we can form the following hypothesis: At least one of the systems in my environment is compromised, and persisting via a LaunchAgent or Daemon. The go-to technique for persistence on macOS systems today is the installation of a LaunchAgent or LaunchDaemon. Mitre ATT&CK shows us many of the techniques used in the tactic of “Persistence”. Let’s focus on how we can identify a compromised system assuming that an attacker has already established persistence. There are a number of ways an attacker could gain initial access into a macOS system. A lot of Empire’s capabilities are used in modern Mac malware today. In this post, we’ll use Empire to simulate malicious activity. In addition, it provides us with the majority of data needed to create robust host-based detections for macOS systems. Osquery will be used exclusively in this series for several reasons: it is free and open source, which promotes being able to follow along in your own lab or testing environment. This is the first post in a four part series that will discuss methodologies and techniques to proactively find compromised Macs in a enterprise environment. Let’s operate under the assumption that there is at least one compromised system in your population at any given time. As a defender, you may be tasked to protect a large population of macOS systems. How does one begin attempting to identify spoiled apples in a large bin full of apples? To start, you have accept that there may be at least one bad apple in the bin. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |