Demystifying (& Bypassing) macOS's Background Task Management

Presented at DEF CON 31 (2023), Aug. 12, 2023, 10 a.m. (45 minutes)

To retain a foothold on an infected system, most Mac malware will persist; installing itself in a manner that ensures it will be automatically (re)launched each time the infected system is rebooted. In macOS Ventura, Apple's rearchitected core persistence mechanisms and added a new security mechanism that alerts the user any time an item is persisted. As the former is both undocumented and implemented in a proprietary manner this poses a problem for existing security and forensics tools (that aim to heuristically detect malware via unauthorized persistence events). On the other hand, the latter is problematic to malware authors, who obviously want their malicious creations to persist without an alert being shown to the user. In this talk, we'll indiscriminately provide solutions for all! First, we'll dive into the internals of macOS's Background Task Management (BTM) which, as we'll see, contains a central (albeit proprietary) repository of persistent items. Armed with this information, we'll release open-source code capable of programmatically enumerating all persistent items from BTM, ensuring security and forensics tools regain compatibility. We'll also highlight design weaknesses that malicious code could trivially employ to sidestep the new security features of BTM, such that persistence may still be silently achieved. REFERENCES: https://piunikaweb.com/2023/01/30/macos-13-ventura-background-items-added-notification-issue/ https://www.sentinelone.com/blog/apples-macos-ventura-7-new-security-changes-to-be-aware-of/ Apple Documentation: https://support.apple.com/guide/deployment/manage-login-items-background-tasks-mac-depdca572563/web

Presenters:

• Patrick Wardle - Objective-See Foundation
  Patrick Wardle is the creator of the non-profit Objective-See Foundation, author of the “The Art of Mac Malware” book series, and founder of the "Objective by the Sea" macOS Security conference. Having worked at NASA and the NSA, as well as presenting at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware, and writing books and free open-source security tools to protect Mac users.

Links:

• https://forum.defcon.org/node/245729

Similar Presentations:

• Objective by the Sea version 5.0 (2022) / Process Injection: Breaking all macOS Security Layers with a Single Vulnerability
• Black Hat USA 2022 / Process Injection: Breaking All macOS Security Layers With a Single Vulnerability
• DEF CON 30 (2022) / Process injection: breaking all macOS security layers with a single vulnerability