-
Notifications
You must be signed in to change notification settings - Fork 47
7. Endpoint Security System DYLIB
When designing "security relevant" components of macOS Apple links them against libEndpointSecuritySystem.dylib and (in most cases) signs them fine-grained entitlements that enable them to emit events into the Endpoint Security subsystem / KEXT itself (e.g. com.apple.private.endpoint-security.submit.authentication.touchid). However, this is not always the case as with: /usr/libexec/ssh-sk-helper. The functionality exposed by this library enables linked binaries to emit eventing around Open Directory, Background Task Management, XProtect, etc. to the Endpoint Security KEXT itself (see the full list below as of macOS Sonoma):
ess_notify_authentication_touchid
ess_notify_lw_session_login
ess_notify_od_group_add
ess_notify_screensharing_attach
ess_notify_xp_malware_detected
ess_notify_sudo
...
Additionally, not all events are candidates to be emitted by user land binaries, but as of macOS Ventura the majority are (see ESMessage.h). Apple's doing a really nice job here providing decently enriched eventing surrounding high level security operations beyond traditional process / file system activity. For example, adding a user to an Open Directory node, detecting malware with XProtect, persisting a Launch Daemon/Agent, Login Item (Background Task Management), etc.
Now that we know libEndpointSecuritySystem.dylib enables linked binaries to emit into Endpoint Security itself it'd be great to validate this hypothesis at runtime. We can take a similar approach to the method in the Endpoint Security Daemon section and target ess_* functions to be hooked. However, we don't necessarily need to go down to that level to get a good idea of what's going on. Let's take a look at an example.
The daemon screensharingd is responsible for handling Screen Sharing connections. It does so in an on-demand way, in other words, the daemon is only alive for a short time after the last connection is ended. screensharingd is signed with the com.apple.private.endpoint-security.submit.screensharing entitlement allowing it to emit screensharing_attach/detach events. The event's documentation specifies that the attach event should be emitted when Screen Sharing has attached to a graphical session. To test this we can target screensharingd with frida-trace to watch the daemon send the notify_screensharing_attach / notify_screensharing_detach events in real time to the Endpoint Security subsystem. It's as easy as:
Note
sudo frida-trace screensharingd -i "ess_notify_*"
When you do this be sure to have an active screen sharing session so that the daemon is alive. Next, you can quickly close and re-open the connection to see the events be emitted.
> sudo frida-trace screensharingd -i "ess_notify_*"
Started tracing 37 functions. Press Ctrl+C to stop.
/* TID 0x2903 */
4719 ms ess_notify_screensharing_detach()
7579 ms ess_notify_screensharing_attach()
9241 ms ess_notify_screensharing_detach()
9477 ms ess_notify_screensharing_attach()
Functions here are prefixed with ESS for Endpoint Security System.
ess_authorize_file_provider_materialize
ess_authorize_file_provider_update
ess_notify_authentication_auto_unlock
ess_notify_authentication_od
ess_notify_authentication_token
ess_notify_authentication_touchid
ess_notify_authorization_judgement
ess_notify_authorization_petition
ess_notify_btm_launch_item_add
ess_notify_btm_launch_item_remove
ess_notify_login_login
ess_notify_login_logout
ess_notify_lw_session_lock
ess_notify_lw_session_login
ess_notify_lw_session_logout
ess_notify_lw_session_unlock
ess_notify_od_attribute_set
ess_notify_od_attribute_value_add
ess_notify_od_attribute_value_remove
ess_notify_od_create_group
ess_notify_od_create_user
ess_notify_od_delete_group
ess_notify_od_delete_user
ess_notify_od_disable_user
ess_notify_od_enable_user
ess_notify_od_group_add
ess_notify_od_group_remove
ess_notify_od_group_set
ess_notify_od_modify_password
ess_notify_openssh_login
ess_notify_openssh_logout
ess_notify_profile_add
ess_notify_profile_remove
ess_notify_screensharing_attach
ess_notify_screensharing_detach
ess_notify_su
ess_notify_sudo
ess_notify_xp_malware_detected
ess_notify_xp_malware_remediated