1. InfoconDB
  2. Black Hat
  3. Black Hat USA 2022
  4. Leveraging the Apple ESF for Behavioral Detections

Leveraging the Apple ESF for Behavioral Detections

Presented at Black Hat USA 2022, Aug. 11, 2022, 11:20 a.m. (40 minutes)

Since its 2019 introduction in macOS Catalina, we have used the Apple Endpoint Security Framework (ESF) as an event source to fuel behavioral-based detections.

In this talk, we will focus on the difference between the old and new ways of detecting malicious activity on macOS, speaking to why both are relevant today. We will break down how we use ESF data, both in its basic form, as well as a pivot point to perform more advanced detections.

The Endpoint Security Framework provides many different fields that get overlooked in detection scenarios. We will show how we can use these clues to piece together a story about malicious activity that has taken place on a system. Finally, we will discuss examples where ESF has helped us identify that exploitation has taken place, including the detection of multiple 0-days.


Presenters:

  • Matt Benyo - Detections Developer, Jamf
    Matt Benyo is a macOS Detections Developer at Jamf Software focused on writing detections, as well as analyzing macOS malware and its various techniques. He was previously a Jamf Systems Engineer, and both a Technician and a Trainer at Apple before that.
  • Jaron Bradley - Detections Lead, Jamf
    Jaron Bradley has worked on various incident response, engineering and threat hunting teams throughout his career where he has focused mostly on Unix-based intrusions. He is author of OS X Incident Response Scripting and Analysis and manages themittenmac.com — a website dedicated to helping those further understand threat hunting on macOS — in his free time.

Links:

Similar Presentations: