The second most popular OS in today’s business environment, macOS, is often neglected in cybersecurity discussions. This is likely due to Windows OS holding a dominant share (72.1%) of the global workstation market and Linux (4.03%) running critical parts of IT infrastructure. This often leaves macOS excluded from the conversation.
However, threat actors are huge fans of taking the path of least resistance. So when the world is focusing attention on securing Windows and Linux, rest assured that some adversaries are shifting gears to target macOS. Fortunately, there are some reliable (if not well-known) ways to conduct effective threat hunting in macOS. Matt Bromiley, Lead Solutions Engineer at LimaCharlie, recently covered a few of them in his webinar, Threat Hunting for macOS.
His presentation used the LimaCharlie SecOps Cloud Platform, as it provides an intuitive and powerful tool for this task. Here are a few key takeaways:
Many threat hunting queries should be crafted as detection rules. This allows you to define parameters of interest once and run them as often as needed.
macOS threat hunting begins by searching for suspicious indicators in high-level basics like processes, network connection, DNS requests, and file system events.
When analyzing processes in macOS the
responsible process
field displays the root process of all subsequent processes in a chain. This makes the
responsible process
an excellent place to start threat investigations as it can provide an overview of related activities.
DNS requests can be queried using wildcards to discover domains of interest or those that show up with unusual frequency (potentially indicating a security issue)
Code identity events can be used to inspect binaries for signs of file signature anomalies.
The SecOpsCloud Platform can use code identities to build a searchable binary library (BinLib) of files of interest for further inspection
The Mac Unified Log (MUL) can be queried for highly detailed information about system activity. By filtering searches using predicates such as messages, subsystems, or processes you can uncover a wealth of information.
Performing data-rich threat hunting in macOS is made possible by the robust sensors (native, not slightly modified Linux agents) that LimaCharlie deploys to endpoints. These sensors allow you to perform triage capabilities as if you were logged into the endpoint locally. Even better, the SecOps Cloud platform operates at n+1 scale, so it can easily accommodate as many macOS devices as needed.
Diving Deeper into the MUL
The second live stream on analyzing macOS with the SecOps Cloud Platform took a deeper look at the MUL. Security analysts familiar with Windows systems may be used to importing event logs with little care. The MUL is extremely verbose and should not be imported in its entirety. It is important to spend some time determining which events you want to see in the MUL and only grabbing those.
To query the MUL in LimaCharlie use the following format:
log show <prediacate>
For example, to view Safari processes, write:
log show -predicate ‘process == “Safari”’
To specify the subsystem, write:
log show —predicate ‘subsystem == “com.apple.preference”’
As always, it is important to declare the correct process and subsystem to retrieve the desired information. A misstep here could result in a flood of unrelated results or nothing returned at all. Once you have your MUL stream created you can specify how the EDR sensor to taps into it in the Artifacts Collection tab. If everything is set correctly you will see MUL entries appear on your EDR timeline.
Some examples of other MUL queries you may find useful:
Keychain activity:
log show —predicate ‘subsystem == “com.apple.securityd” and message contains “Keychain”’
Unapproved AI usage:
log show —predicate ‘process ==”ChatGPT”’ —info
Transparency, Consent, and Control (TCC) Violations:
log show —predicate ‘subsystem == “com.apple.TCC”’ —info
Authentication Changes
log show —predicate ‘subsystem == “com.apple.LocalAuthentication”’ —info
You can use the SecOps Cloud Platform to gain extreme visibility into the macOS system by writing queries based on these examples. There are some exceptions, of course. Apple hides certain data from view in the name of increased security, such as portions of DNS entries.
There are also several third-party tools that integrate with the SecOps Cloud Platform and extend its capabilities. For example, Velociraptor offers an MUL-specific hunting artifiact while also providing insights into:
Browsing history
Autoruns
Files
System prefs
Users
The information contained in the MUL can be used countless ways to improve your organization’s security. Using it effectively comes down to knowing what you want to monitor and crafting queries to retrieve the information. For more specific examples of threat hunting in macOS watch part 1 and part 2 of the webinar, or reach out to LimaCharlie for a demo.
Happy hunting!
*** This is a Security Bloggers Network syndicated blog from LimaCharlie's Blog authored by LimaCharlie's Blog. Read the original post at: https://www.limacharlie.io/blog/threat-hunting-in-macos-with-the-secops-cloud-platform