My personal security blog is hosted on Notion at: swiftly-detecting.notion.site.
- π¨βπ» So you want to build an Endpoint Security app?
- π Endpoint Security client Survey 2023
- Common macOS Data Sources
- Endpoint Security Internals
- Published: August 3, 2024
- Link: swiftly-detecting.notion.site/ES-Gatekeeper-User-Override
Summary: Apple has introduced a new Endpoint Security (ES) event in macOS 15 Sequoia called
ES_EVENT_TYPE_NOTIFY_GATEKEEPER_USER_OVERRIDE, providing insight into Gatekeeper user overrides. This event, emitted by the/usr/libexec/syspolicyddaemon, does not enable authorization, but offers details like file type, path, CD hash, and SHA256 hash for files under 100MB. The event can be leveraged to detect instances where users bypass Gatekeeper restrictions, aiding in incident response and threat detection. Additionally, theExecPolicydatabase'spolicy_scan_cacheandsettingstable can be queried for the last override event by looking to thelastGKOverridevalue.
- Published: August 2, 2024
- Link: swiftly-detecting.notion.site/Listing-Connected-ES-Clients
Summary: It's possible to enumerate Endpoint Security (ES) clients (those who call into
es_new_client(_:_:)) using the I/O Registry. The I/O Registry is a database representing the system's current "hardware" configuration and is organized into eight planes, with theIOServiceplane being of particular interest. The nativeioregutility can be used to query theEndpointSecurityDrivernode, revealing connected ES clients asEndpointSecurityExternalClientobjects. Additionally, Apple'sIORegistryExplorer.appoffers a graphical view of connected clients.