-
Notifications
You must be signed in to change notification settings - Fork 47
9. ES User Space Eventing
Before macOS 13.0 Ventura almost all events were generated in the kernel (by XNU). However, these days most events in macOS 13+ are emitted by user space binaries and frameworks. Events of this classification are not eligible for AUTH (authorization) event types (See ESMessage.h).
Endpoint Security makes the following guarantee: “if an event was not emitted by the respective binary or framework then it did not happen”. Borrowing from Apple's example here: consider the case of sudo -- if the user were to bring their own binary then a es_event_su_t would not be emitted. However, a es_event_setuid_t would be. Notice the subtlty here. Since es_event_setuid_t is emitted by XNU proper it'll be delivered as there's nothing an adversary can do without a SIP bypass to modify this behavior. Additionally, since the es_event_su_t event is emitted by the user space binary the attacker could bring their own thus leaving defenders with only a es_event_setuid_t to detect on.
For the full paths to these binaries see the appendix section: "Paths to binaries dependent on
libEndpointSecuritySystem.dylib".
Additionally, most binaries here are entitled to emit a certain type of event to Endpoint Security KEXT. Each event that can be emitted is shown in the "Exported ES functions by libEndpointSecuritySystem.dylib" section. For example, a process would need to be entitled with com.apple.private.endpoint-security.submit.xp to emit an ES_EVENT_TYPE_NOTIFY_XP_MALWARE DETECTED by utilizing the exported function _ess_notify_xp_malware_detected.
| Binary | Description | ES event entitlements |
|---|---|---|
backgroundtaskmanagementd |
Background task management daemon. | com.apple.private.endpoint-security.submit.btm |
BackgroundTaskManagementAgent |
Background task management agent. | N/A |
XprotectService |
XProtect. | com.apple.private.endpoint-security.submit.xp |
XProtect.app/Contents/MacOS/XProtectRemediator* |
XProtect Remediator | com.apple.private.endpoint-security.submit.xp |
sudo |
Executes a command as another user. | com.apple.private.endpoint-security.submit.sudo |
login |
The login utility logs users (and pseudo-users) into the computer system. | com.apple.private.endpoint-security.submit.login |
sshd |
SSH server daemon. | com.apple.private.endpoint-security.submit.openssh |
sharingd |
Sharing Daemon that enables AirDrop, Handoff, Instant Hotspot, Shared Computers, and Remote Disc in the Finder. | com.apple.private.endpoint-security.submit.authentication.auto-unlock |
ssh-apple-pkcs11 |
SSH helper for PKCS#11 support. | N/A |
sshd-keygen-wrapper |
SSH key generator wrapper. | N/A |
opendirectoryd |
Open Directory daemon. |
com.apple.private.endpoint-security.submit.authentication.od, com.apple.private.endpoint-security.submit.od
|
ssh-pkcs11-helper |
SSH helper for PKCS#11. | N/A |
ssh-keysign |
Helper for host-based SSH authentication. | N/A |
sftp-server |
SFTP server subsystem. | N/A |
slapconfig-keygen |
Key generator for LDAP configurations. | N/A |
ssh-sk-helper |
SSH helper for FIDO/U2F keys. | N/A |
biometrickitd |
Biometric authentication daemon. | com.apple.private.endpoint-security.submit.authentication.touchid |
authd |
Authorization services daemon. | com.apple.private.endpoint-security.submit.authorization |
fileproviderd |
File Provider daemon. |
(Not a submit) com.apple.private.endpoint-security.dataless-manipulation
|
ctkahp |
Crypto Token Kit authentication helper. | com.apple.private.endpoint-security.submit.authentication.token |
screensharingd |
Screen sharing daemon. | com.apple.private.endpoint-security.submit.screensharing |
SSInvitationAgent |
Screen sharing invitation agent. | com.apple.private.endpoint-security.submit.screensharing |
loginwindow |
Handles the login window. | com.apple.private.endpoint-security.submit.lw |
mdmclient |
Mobile Device Management (MDM) client | com.apple.private.endpoint-security.submit.profile |
ssh-keyscan |
Collects public SSH keys from servers. | N/A |
sftp |
Secure file transfer. | N/A |
ssh-agent |
SSH key manager. | N/A |
ssh |
SSH client for secure remote login. | N/A |
fileproviderctl |
Allows you to control the fileproviderd daemon and enumerate and manipulate files. | N/A |
ssh-add |
Adds SSH private keys into the SSH authentication agent. | N/A |
ssh-keygen |
Generates, manages, and converts SSH keys. | N/A |
scp |
Securely copies files between hosts. | N/A |
Of the events emitted from user space binaries which are potentially avenues for adversarial tampering? The following events listed here are commonly used in developing high fidelity detection analytics. Notice that since artifacts like XProtect eventing and Profiles being installed are such high level -- they require enrichment from their user space source. Therefore, it makes sense for the events to be generated by these binaries.
| High Value ES Event(s) | Exported function(s) | Emitting binaries |
|---|---|---|
ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD |
ess_notify_btm_launch_item_add() |
backgroundtaskmanagementd |
ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_REMOVE |
ess_notify_btm_launch_item_remove() |
backgroundtaskmanagementd |
ES_EVENT_TYPE_NOTIFY_XP_MALWARE_DETECTED |
ess_notify_xp_malware_detected() |
XProtectRemediator* / XprotectService
|
ES_EVENT_TYPE_NOTIFY_XP_MALWARE_REMEDIATED |
ess_notify_xp_malware_remediated() |
XProtectRemediator* / XprotectService
|
ES_EVENT_TYPE_NOTIFY_SCREENSHARING_ATTACH |
ess_notify_screensharing_attach() |
SSInvitationAgent, screensharingd
|
ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGIN |
ess_notify_openssh_login() |
sshd |
ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGOUT |
ess_notify_openssh_logout() |
sshd |
ES_EVENT_TYPE_NOTIFY_PROFILE_ADD |
ess_notify_profile_add() |
mdmclient |
ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE |
ess_notify_profile_remove() |
mdmclient |
ES_EVENT_TYPE_NOTIFY_SUDO |
ess_notify_sudo |
/usr/bin/sudo |
ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE |
ess_authorize_file_provider_materialize() |
[TODO: UNKNOWN] |
ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE |
ess_authorize_file_provider_update() |
[TODO: UNKNOWN] |
| Path |
|---|
/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Versions/A/Resources/backgroundtaskmanagementd |
/System/Library/PrivateFrameworks/BackgroundTaskManagement.framework/Support/BackgroundTaskManagementAgent.app/Contents/MacOS/BackgroundTaskManagementAgent |
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService |
/Library/Apple/System/Library/CoreServices/XProtect.app/Contents/MacOS/XProtectRemediator* |
/usr/bin/ssh-keyscan |
/usr/bin/sftp |
/usr/bin/ssh-agent |
/usr/bin/ssh |
/usr/bin/fileproviderctl |
/usr/bin/ssh-add |
/usr/bin/ssh-keygen |
/usr/bin/scp |
/usr/bin/sudo |
/usr/bin/login |
/usr/sbin/sshd |
/usr/libexec/sharingd |
/usr/libexec/ssh-apple-pkcs11 |
/usr/libexec/sshd-keygen-wrapper |
/usr/libexec/opendirectoryd |
/usr/libexec/ssh-pkcs11-helper |
/usr/libexec/ssh-keysign |
/usr/libexec/sftp-server |
/usr/libexec/slapconfig-keygen |
/usr/libexec/ssh-sk-helper |
/usr/libexec/biometrickitd |
/System/Library/Frameworks/Security.framework/Versions/A/XPCServices/authd.xpc/Contents/MacOS/authd |
/System/Library/Frameworks/FileProvider.framework/Support/fileproviderd |
/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp |
/System/Library/CoreServices/RemoteManagement/screensharingd.bundle/Contents/MacOS/screensharingd |
/System/Library/CoreServices/RemoteManagement/ScreensharingAgent.bundle/Contents/Support/SSInvitationAgent.app/Contents/MacOS/SSInvitationAgent |
/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow |
/usr/libexec/mdmclient |
_ess_authorize_file_provider_materialize_ess_authorize_file_provider_update_ess_notify_authentication_auto_unlock_ess_notify_authentication_od_ess_notify_authentication_token_ess_notify_authentication_touchid_ess_notify_authorization_judgement_ess_notify_authorization_petition_ess_notify_btm_launch_item_add_ess_notify_btm_launch_item_remove_ess_notify_login_login_ess_notify_login_logout_ess_notify_lw_session_lock_ess_notify_lw_session_login_ess_notify_lw_session_logout_ess_notify_lw_session_unlock_ess_notify_od_attribute_set_ess_notify_od_attribute_value_add_ess_notify_od_attribute_value_remove_ess_notify_od_create_group_ess_notify_od_create_user_ess_notify_od_delete_group_ess_notify_od_delete_user_ess_notify_od_disable_user_ess_notify_od_enable_user_ess_notify_od_group_add_ess_notify_od_group_remove_ess_notify_od_group_set_ess_notify_od_modify_password_ess_notify_openssh_login_ess_notify_openssh_logout_ess_notify_profile_add_ess_notify_profile_remove_ess_notify_screensharing_attach_ess_notify_screensharing_detach_ess_notify_su_ess_notify_sudo_ess_notify_xp_malware_detected_ess_notify_xp_malware_remediated