Grafting Apple Trees

Presented at Objective by the Sea version 3.0 (2020), March 13, 2020, 2:35 p.m. (25 minutes)

During an incident response investigation, one of the most important items you collect is a list of running processes. On most platforms this allows you to map out a process tree using pids and ppids. However, due to Apple's unique XPC behavior, the majority of all processes end up getting created as a child of launchd providing little value to incident response analysts. This talk will focus on how to build a process tree that actually benefits incident responders using the procinfo output. The talk will end with a free tool release titled "TrueTree".

Presenters:

• Jaron Bradley - macOS Detections, Team Lead at Jamf
  Jaron has a background in incident response and threat hunting across Unix based platforms. He currently works as the macOS detections lead for Jamf Protect. As an OG, he was the first ever speaker at the Objective By the Sea conferences and he makes sure to remind everyone about that each year. Although the conferences are always a blast, he primarily attends for the super ono Hawaiian food.

Links:

• https://objectivebythesea.org/v3/content.html#jBradley
• https://objectivebythesea.org/v3/talks/OBTS_v3_jBradley.pdf

Similar Presentations:

• GrrCON 2018 / Structuring your incident response could be one of the most important things you do to bolster Security
• GrrCON 2013 / Cloud Incident Response
• Black Hat USA 2014 / The State of Incident Response