MacOS host monitoring - the open source way

Presented at Kernelcon 2019, April 6, 2019, 11:15 a.m. (20 minutes)

I will talk about a example piece of malware(Handbrake/Proton) and how you can use open source tooling detection tooling to do detection and light forensics. Since I will be talking about the handbrake malware, I will also be sharing some of the TTPs the malware used if you want to find this activity in your fleet.

Presenters:

• Michael George - Dropbox
  Michael works on the DART team @ Dropbox. Michael has spent a lot of time investigating macOS host-monitoring solutions.

Links:

• https://2019.kernelcon.org/agenda#macos

Similar Presentations:

• DerbyCon 3.0 All in the Family (2013) / The Malware Management Framework, a process you can use to find advanced malware. We found WinNTI with it!
• DerbyCon 7.0 Legacy (2017) / MacOS host monitoring - the open source way
• DEF CON 18 (2010) / 0box Analyzer: AfterDark Runtime Forensics for Automated Malware Analysis and Clustering